Cisco Cisco FirePOWER Appliance 7010
41-6
FireSIGHT System User Guide
Chapter 41 Configuring Remediations
Creating Remediations
Note
Do not use this remediation as a response to a correlation rule that is based on a discovery event;
discovery events only transmit a source host and not a destination host. You can use this remediation in
response to correlation rules that are based on connection events or intrusion events.
discovery events only transmit a source host and not a destination host. You can use this remediation in
response to correlation rules that are based on connection events or intrusion events.
To add the remediation:
Access:
Admin/Discovery Admin
Step 1
Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2
Next to the instance where you want to add the remediation, click
View
.
If you have not yet added an instance, see
.
The Edit Instance page appears.
Step 3
In the
Configured Remediations
section, select
Block Destination Network
and click
Add
.
The Edit Remediation page appears.
Step 4
In the
Remediation Name
field, enter a name for the remediation.
The name you choose cannot contain spaces or special characters and should be descriptive. For
example, if you have multiple Cisco IOS router instances and multiple remediations for each instance,
you may want to specify a name such as
example, if you have multiple Cisco IOS router instances and multiple remediations for each instance,
you may want to specify a name such as
IOS_01_BlockDestNet
.
Step 5
Optionally, in the
Description
field, enter a description of the remediation.
Step 6
In the
Netmask
field, enter the subnet mask or use CIDR notation to describe the network that you want
to block traffic to.
For example, to block traffic to an entire Class C network when a single host triggered a rule (this is not
recommended), use
recommended), use
255.255.255.0
or
24
as the netmask.
As another example, to block traffic to 30 addresses that include the triggering IP address, specify
255.255.255.224
or
27
as the netmask. In this case, if the IP address
10.1.1.15
triggers the remediation,
all IP addresses between
10.1.1.1
and
10.1.1.30
are blocked. To block only the triggering IP address,
leave the field blank, enter
32
, or enter
255.255.255.255
.
Step 7
Click
Create
, then click
Done
.
The remediation is added.
Cisco IOS Block Source Remediations
License:
FireSIGHT
The Cisco IOS Block Source remediation allows you to block any traffic sent from the router to the
source host included in a correlation event that violates a correlation policy. The source host is the source
IP address in the connection event or intrusion event upon which the correlation rule is based, or the host
IP address in a discovery event.
source host included in a correlation event that violates a correlation policy. The source host is the source
IP address in the connection event or intrusion event upon which the correlation rule is based, or the host
IP address in a discovery event.
To add the remediation:
Access:
Admin/Discovery Admin