Cisco Cisco FirePOWER Appliance 7020
41-11
FireSIGHT System User Guide
Chapter 41 Configuring Remediations
Creating Remediations
To add the remediation:
Access:
Admin/Discovery Admin
Step 1
Select
Policies > Actions > Instances
.
The Instances page appears.
Step 2
Next to the instance where you want to add the remediation, click
View
.
If you have not yet added an instance, see
.
The Edit Instance page appears.
Step 3
In the
Configured Remediations
section, select
Block Source
and click
Add
.
The Edit Remediation page appears.
Step 4
In the
Remediation Name
field, enter a name for the remediation.
The name you choose cannot contain spaces or special characters and should be descriptive. For
example, if you have multiple Cisco PIX firewall instances and multiple remediations for each instance,
you may want to specify a name such as
example, if you have multiple Cisco PIX firewall instances and multiple remediations for each instance,
you may want to specify a name such as
PIX_01_BlockSrc
.
Step 5
Optionally, in the
Description
field, enter a description of the remediation.
The remediation is added.
Configuring Nmap Remediations
License:
FireSIGHT
You can respond to a correlation event by scanning the host where the triggering event occurred. You
can choose to scan only the port from the event that triggered the correlation event.
can choose to scan only the port from the event that triggered the correlation event.
To set up Nmap scanning in response to a correlation event, you must first create an Nmap scan instance,
then add an Nmap scan remediation. You can then configure Nmap scanning as responses to violations
of rules within the policy.
then add an Nmap scan remediation. You can then configure Nmap scanning as responses to violations
of rules within the policy.
See the following sections:
•
•
Adding an Nmap Scan Instance
License:
FireSIGHT
You can set up a separate scan instance for each Nmap module that you want to use to scan hosts on your
network for operating system and server information. You can set up scan instances for the local Nmap
module on your Defense Center and for any managed devices you want to use to run scans remotely. The
results of each scan are always stored on the Defense Center where you configure the scan, even if you
run the scan from a remote managed device. To prevent accidental or malicious scanning of
mission-critical hosts, you can create a blacklist for the instance to indicate the hosts that should never
be scanned with the instance.
network for operating system and server information. You can set up scan instances for the local Nmap
module on your Defense Center and for any managed devices you want to use to run scans remotely. The
results of each scan are always stored on the Defense Center where you configure the scan, even if you
run the scan from a remote managed device. To prevent accidental or malicious scanning of
mission-critical hosts, you can create a blacklist for the instance to indicate the hosts that should never
be scanned with the instance.
Note that you cannot add a scan instance with the same name as any existing scan instance.