Cisco Cisco Firepower Management Center 2000
37-14
FireSIGHT System User Guide
Chapter 37 Using Host Profiles
Working with Servers in the Host Profile
Working with Servers in the Host Profile
License:
FireSIGHT
If the system detects servers running on a host on your monitored network or if servers are added through
the host input feature or through a scanner or other active source, the Defense Center lists them in the
Servers section of the host profile.
the host input feature or through a scanner or other active source, the Defense Center lists them in the
Servers section of the host profile.
The Defense Center lists up to 100 servers per host. After that limit is reached, new server information
from any source, whether active or passive, is discarded until you delete a server from the host or a server
times out. For more information, see
from any source, whether active or passive, is discarded until you delete a server from the host or a server
times out. For more information, see
.
If you scan a host using Nmap, Nmap adds the results of previously undetected servers running on open
TCP ports to the Servers list. If you perform an Nmap scan on a host or import Nmap results, an
expandable Scan Results section also appears in the host profile, listing the server information detected
on the host by the Nmap scan. See
TCP ports to the Servers list. If you perform an Nmap scan on a host or import Nmap results, an
expandable Scan Results section also appears in the host profile, listing the server information detected
on the host by the Nmap scan. See
and
for more information. In addition, note that if the host is deleted from the
network map, the Nmap scan results for that server for the host are discarded.
Note
Although you can configure your network discovery policy to add server and clients to the network map
based on data exported by NetFlow-enabled devices, the available information about these applications
is limited. For more information, see
based on data exported by NetFlow-enabled devices, the available information about these applications
is limited. For more information, see
.
The process for working with servers in the host profile differs depending on how you accessed the
profile:
profile:
•
If you accessed the host profile by drilling down through the Servers network map, the details for
that server appear with the server name highlighted in bold. If you want to view the details for any
other server on the host, click the view icon (
that server appear with the server name highlighted in bold. If you want to view the details for any
other server on the host, click the view icon (
) next to that server name.
•
If you accessed the host profile in any other way, expand the Servers section and click the view icon
(
(
) next to the server whose details you want to see.
You can also perform the following actions:
•
To analyze the connection events associated with a particular server on the host, click the events icon
next to the server.
next to the server.
The first page of your preferred workflow for connection events appears, showing connection events
constrained by the port and protocol of the server, as well as the IP address of the host. If you do not
have a preferred workflow for connection events, you must select one. For more information about
connection data, see
constrained by the port and protocol of the server, as well as the IP address of the host. If you do not
have a preferred workflow for connection events, you must select one. For more information about
connection data, see
•
To delete a server from the host profile, click the delete icon (
) next to the server.
The server is deleted from the host profile, but will appear again if the system detects traffic from
the server again. Note that deleting a server from a host may bring the host into compliance with a
white list.
the server again. Note that deleting a server from a host may bring the host into compliance with a
white list.
•
To resolve a server identity conflict, click the resolve icon next to the server.
You can choose one of the conflicting identities, choose a variation on one of those identities, or set
a new user-defined identity.
a new user-defined identity.
•
To edit a server identity, click the edit icon (
) next to the server.
You can choose the current identity, choose a variation on that identity, or set a new user-defined
identity.
identity.
Descriptions of the columns in the Servers list follow.