Cisco Cisco FirePOWER Appliance 7020
40-13
FireSIGHT System User Guide
Chapter 40 Creating Traffic Profiles
Understanding Condition-Building Mechanics
For information on the syntax for building traffic profile conditions and host profile qualifications, see:
•
•
Adding and Linking Conditions
License:
FireSIGHT
You can create simple traffic profile conditions and host profile qualifications, or you can create more
elaborate constructs by combining and nesting conditions.
elaborate constructs by combining and nesting conditions.
When your construct includes more than one condition, you must link them with an
AND
or an
OR
operator. Conditions on the same level are evaluated together:
•
The
AND
operator requires that all conditions on the level it controls must be met.
•
The
OR
operator requires that at least one of the conditions on the level it controls must be met.
For example, the following traffic profile contains two conditions linked by
AND
. This means that the
traffic profile collects connection data only if both conditions are true. In this example, it collects HTTP
connections for all hosts with IP addresses in the 10.4.x.x subnet.
connections for all hosts with IP addresses in the 10.4.x.x subnet.
In contrast, the following traffic profile, which collects connection data for HTTP activity in either the
10.4.x.x network or the 192.168.x.x network, has three conditions, with the last constituting a complex
condition.
10.4.x.x network or the 192.168.x.x network, has three conditions, with the last constituting a complex
condition.