Cisco Cisco FirePOWER Appliance 8390
40-6
FireSIGHT System User Guide
Chapter 40 Creating Traffic Profiles
Adding a Host Profile Qualification
Syntax for Host Profile Qualifications
License:
FireSIGHT
When you build a host profile qualification condition, you must first select the host you want to use to
constrain your traffic profile. You can select either
constrain your traffic profile. You can select either
Responder Host
or
Initiator Host
. After you select the
host role, continue building your host profile qualification condition, as described in the
Although you can configure the network discovery policy to add hosts to the network map based on data
exported by NetFlow-enabled devices, the available information about these hosts is limited. For
example, there is no operating system data available for these hosts, unless you provide it using the host
input feature. In addition, if your traffic profile uses connection data exported by NetFlow-enabled
devices, keep in mind that NetFlow records do not contain information about which host in the
connection is the initiator and which is the responder. When the system processes NetFlow records, it
uses an algorithm to determine this information based on the ports each host is using, and whether those
ports are well-known. For more information, see
exported by NetFlow-enabled devices, the available information about these hosts is limited. For
example, there is no operating system data available for these hosts, unless you provide it using the host
input feature. In addition, if your traffic profile uses connection data exported by NetFlow-enabled
devices, keep in mind that NetFlow records do not contain information about which host in the
connection is the initiator and which is the responder. When the system processes NetFlow records, it
uses an algorithm to determine this information based on the ports each host is using, and whether those
ports are well-known. For more information, see
To match against implied or generic clients, create a host profile qualification based on the application
protocol used by the server responding to the client. When the client list on a host that acts as the initiator
or source of a connection includes an application protocol name followed by
protocol used by the server responding to the client. When the client list on a host that acts as the initiator
or source of a connection includes an application protocol name followed by
client
, that client may
actually be an implied client. In other words, the system reports that client based on server response
traffic that uses the application protocol for that client, not on detected client traffic.
traffic that uses the application protocol for that client, not on detected client traffic.
For example, if the system reports
HTTPS client
as a client on a host, create a host profile qualification for
Responder Host
where
Application Protocol
is set to
HTTPS
, because HTTPS client is reported as a generic
client based on the HTTPS server response traffic sent by the responder or destination host.
Table 40-2
Syntax for Host Profile Qualifications
If you specify...
Select an operator, then...
Host Type
Select one or more host types from the drop-down list. You can choose between a normal host
or one of several types of network device.
or one of several types of network device.
NETBIOS Name
Type the NetBIOS name of the host.
Operating System > OS
Vendor
Vendor
Select one or more operating system vendor names from the drop-down list.
Operating System > OS
Name
Name
Select one or more operating system names from the drop-down list.
Operating System > OS
Version
Version
Select one or more operating system versions from the drop-down list.
Network Protocol
Transport Protocol
Host Criticality
Select the host criticality from the list that appears. You can select
None
,
Low
,
Medium
, or
High
.
For more information on host criticality, see
.
VLAN ID
Type the VLAN ID number of the host.
Application Protocol>
Application Protocol
Select an application protocol from the drop-down list.