Cisco Cisco FirePOWER Appliance 7010
27-18
FireSIGHT System User Guide
Chapter 27 Using the FireSIGHT System as a Compliance Tool
Creating Compliance White Lists
You can configure a compliance white list, using either a shared host profile or a host profile that belongs
to a single white list, to allow certain protocols to run on specific operating systems. You can also
configure a white list to allow certain protocols to run on any valid target; these are called globally
allowed protocols. Note that ARP, IP, TCP, and UDP are always allowed to run on any host; you cannot
disallow them.
to a single white list, to allow certain protocols to run on specific operating systems. You can also
configure a white list to allow certain protocols to run on any valid target; these are called globally
allowed protocols. Note that ARP, IP, TCP, and UDP are always allowed to run on any host; you cannot
disallow them.
For any allowed protocol, you must specify its type (Network or Transport) and number.
To add a protocol to a compliance white list host profile:
Access:
Admin
Step 1
While you are creating or modifying a white list host profile, click the add icon (
) next to
Allowed
Protocols
(or next to
Globally Allowed Protocols
if you are modifying the Any Operating System host
profile).
A pop-up window appears. The protocols listed are:
•
protocols that you created within the white list
•
protocols that were running on hosts in the network map when you surveyed your networks as
described in
described in
•
protocols that are used by other host profiles in the white list, which may include built-in protocols
created by the VRT for use in the default white list
created by the VRT for use in the default white list
Step 2
You have two options:
•
To add a protocol already in the list, select it and click
OK
. Use Ctrl or Shift while clicking to select
multiple protocols. You can also click and drag to select multiple adjacent protocols.
The protocol is added. Note that if you added a built-in protocol, its name appears in italics. You can
skip the rest of the procedure, or optionally, to change any of the protocol’s values (such as the type
or number) click the protocol you just added to display the protocol editor.
skip the rest of the procedure, or optionally, to change any of the protocol’s values (such as the type
or number) click the protocol you just added to display the protocol editor.
•
To add a new protocol, select
<New Protocol>
and click
OK
.
The protocol editor appears.
Step 3
From the
Type
drop-down list, select the protocol type:
Network
or
Transport
.
Step 4
Specify the protocol. You have two options:
•
Select a protocol from the drop-down list.
•
Select
Other (manual entry)
appropriate number as listed in http://www.iana.org/assignments/ethernet-numbers/. For transport
protocols, type the appropriate number as listed in
http://www.iana.org/assignments/protocol-numbers/.
protocols, type the appropriate number as listed in
http://www.iana.org/assignments/protocol-numbers/.
Step 5
Click
OK
.
The protocol is added. Note that you must save the white list for your changes to take effect.
If you added a protocol to a white list that is used by an active correlation policy, after you save the white
list, the target hosts are re-evaluated. Although this re-evaluation may bring some hosts into compliance,
it does not generate any white list events.
list, the target hosts are re-evaluated. Although this re-evaluation may bring some hosts into compliance,
it does not generate any white list events.
Adding a Shared Host Profile to a Compliance White List
License:
FireSIGHT