FireSight DC change
Feature: FireSight management running the version 6.0.1
If another user connects to the management of the graphic interface and does a change as the disabling of an interface, or recommendations of firepower or police, but don't push politics or not fully applied the changes. Is there a place where I can connect and see what changes when it is or has yet to be pushed or applied?
It seems that we can see if it's different places if you know look but no notification of status in one place.
Hello
You can go to system-> monitor-> Audit and check if you see the audit logs. It will not be detailed, but will let you know the target pages of navigation by the user and the called sybsystem.
If you want to track if the device is up to date, click deploy. If there are any devices that must be deployed, they will fill there. You will see an icon "+" to see the details of what is not pushed to the device.
Guillaume
Tags: Cisco Security
Similar Questions
-
We have a system of FireSight with a version 5.4.0.5 Virtual Data Center and several ASA devices. We have set some user Agents for the session and closing of session servers MS AD user logon information and met 2 problems:
(1) all servers user agent (Windows server 2008R2/64/SP1 and Windows server 2012R2) report error 2201. They can pull the AD server logon information correctly and export the correct user card, can communicate with the virtual data center, but just cannot send data to it. Meanwhile, a user on the Windows 2008 STD/SP2 Server Agent works perfectly. Have you tried 3 other servers, 2 versions of the User Agent, en - us locale and 2 versions of .net. Nothing has changed.
(2) we prefer to have only 1 User Agent but 1 User Agent supports 5 servers DC Max. We set up a central AD server to register the security logs of all servers of ads with success to his 'Reported events' event log file and set the User Agent to extract data from this central AD server. User Agent shoots the opening session, but only events folder "Windows Logs - security", never "reported events." The User Agent is designed from "Windows Logs - Security" read-only?
[2201] - report of the login information of the USER-AGENT-SERVER to 10.xx.xx.xx failed after the 14/07/2016 09:08:55. [A call to the SSPI failed, see inner exception.].
This problem is known.
Please uninstall the update from Microsoft
KB3161606 and KB3161608
After inspection, the question seems to be a specific change to the default Cipher Suites:
https://support.Microsoft.com/en-us/KB/3161639
There is created for this bug.
https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCva32331
Rate if helps.
Yogesh
-
Blocking of hosts using Firesight and firepower
I was curious if there is a section in firesight where it could be programmed to block hosts like CISCO host IPS blocks section? A bit like the list hosts blocked for triggering the signatures. Try to translate this into the new product.
In addition, in the event action filters. One possibility might be a rule of trust in the correct access control strategy?
Hello
Access control strategy is intelligence Security tab that allows you to block connections to/from any IP address you put into the black list. You could also simply connect instead of block by enabling logging and changing the drop to monitor action.
Security Intelligence is configurable by access control policy.
Under management of the object, in the section, you can also import the .txt file based containing IP addresses or create one if feed to a server where the .txt file is hosted.
A rule of confidence action implies that you will perform inspection of traffic that matches your rule conditions.
Hope this helps
Paul
-
Dear experts,
I'm quite new with the firepower of Cisco. I have 2 ASA5555 Cisco with firepower and deploy as a active / standby. We have three zone inside and OUTSIDE management. Firesight server is the stay in the planning area. I registered all module Cisco firepower at the center of Firesight project and I manage traffic inspection by fire on cisco ASA power module already. I applied the rule by default IPS for the registered device. I kept it for 2 days after that I do not throw an eye on cisco FireSight there is no any information. He showed 'No Data'. I wonder that I may miss configuration. I try to re - register the devices but it still the same. Please see the diagram below for more details.
I would like to have support for this issue. If you have any questions please let me know
-INTERIOR interface: ip add 192.168.100.x/24
-Outside interface: ip add x.x.x.x/24
-Management interface: ip 10.100.100.x/24
-Add FireSight server ip: 10.100.100.x/24
Hello putmanoait,
Since this is a new installation, try installing the latest code to use all the new features with the device. After a correct installation and having all the required license, including Firesight host license you must ensure that the traffic was correctly redirected to cross the Firepower.If of firepower redirects the traffic that you see the same thing by activating logging under the strategy of policy access control > Access Control > rules > Logging > logging at the beginning of the connection or the logging at the end of the connection. Once after you have enabled logging, save and reapply or redeploy policy changes. Each device has its own database connection parameters. You can check out the following link and see how many events can be stored in the device.
http://www.Cisco.com/c/en/us/TD/docs/security/firesight/541/user-guide/F...
If you can see the respective connection events under analysis > connection events, the dashboard data must also complete. If you have already activated the above and still no events are coming so please proceed as follows by the connection to Firesight CLI by raising for the root user.
(1) check that the following service is running
pmtool status | grep SFTop10Cacher
(2) restart the service
pmtool restartbyid SFTop10Cacher
(3) you should see the service as running with a different pid
pmtool status | grep SFTop10Cacher
Check the scoreboard after 30 minutes.
Rate and mark correct if the post will help you.
Concerning
Jetsy
-
When you add a rule to delete it just remove the event display or need more ride action too.
You can remove the intrusion to a rule or rules event notification. When notification is removed for a rule, triggers the rule but the events are not generated. You can define one or more deletions of a rule. The first registered repression has the highest priority. Note that when two deletions are in conflict, the first action is carried out.
If I add a rule removing but which suffers from a block he still will block, just not alert?
I have a false positive I want to rule out the possibility for a specific host, but do not want to disable the entire rule. If positive triggers false I don't want traffic to fall AND I don't want to be alerted.
The concept of repression had his interpretations over time. The block will continue, but no alert will be generated. in fact, any notifications. If you have the intention is to completely avoid an IP or a group of IPs or segment, then you must change the signature (which will create a local signature), and under the local signature, you can make any changes that you need to source or destination, even with the ports and other settings. However, you will need to activate this signature and disable the other. And don't forget that updates on the original signature will not appear in the modified signature.
-
[Issue] Sourcefire/Firesight Syslog to include the result online
Hi guys,.
I have set up an alert to syslog on Firesight Virtual Center of defence, but I can't get the result online for events.
Here is an example of event raw that I received
April 14 01:09:20 XXX XXXX: [primary detection engine (a9d9147e-dd96-11e2-a935-a6cb913df812)] [XXXX] [1:34463:2] 'Attempt to outgoing connection of the TeamViewer APP-DETECT remote administration tool' [Classification: potential Violation of company policy] user: unknown, Application: TeamViewer, Client: Internet Explorer, Protocol App: HTTPInterface infiltration: s1p2, output interface: s1p1, entry Security Zone: external, out of Security Zone: internal, [priority: 1] {TCP} x.x.x.x:51355 -> x.x.x.x:80
Here we could see the snort ID, source, destination, port, but not the result of inline (if it is abandoned or not)
Y at - it anyway to change and include these result inline using syslog.
Thank you
Hello
Yes you are right to change gravity and priority will not make changes.
Check: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux57517/?reffering_site...
Apparently in 5.4 and 6.0 according to the user guide thus only under the settings will be seen in syslog:
-date and time of the alert generation
-event message
-event data
-ID of the triggering event for the generator
-Snort event trigger ID
-review
Kind regards
Aastha Bhardwaj
Rate if this is useful!
-
Sourcefire 6.0 / FireSIGHT MC 6.0 - users do not fill
Edit: moved to Sourcefire category.
---
Hi all
I was wondering if someone can lead me in the right direction here, I have a customer running Sourcefire 6.0 with the MC FireSIGHT and am having a problem with the IP address for the mapping of the users. According to the analysis > users > users I have not all records. I went to the 'Kingdom' of configuration under itnegration that tests OK and configure the download of the user who pulls down groups so I know that the link to "The Kingdom" is there. The tasks show the successful with 2 groups and 293 users LDAP synchronization. Political identity has been installed with passive authentication and active directory user on the System Agent is installed and successfully tested. I noticed the following in the syslogs stored locally (change of name of host and user) and I wonder if it has something to do with it?
2 February 2016 12:31:36 SF - IMS HOSTNAME [30127]: [30170] SFDataCorrelator:UserIdentity [WARN] could not find the Kingdom for the user user1, area XX 2 February 2016 12:31:35 SF - IMS HOSTNAME [30127]: [30172] SFDataCorrelator:UserIdentity [WARN] could not find the realm for user user2, area XX Any other information needed let me know.
Thank you
Keith
// // //
Hello
Check this: https://tools.cisco.com/bugsearch/bug/CSCux39125/?reffering_site=dumpcr
To get the users properly how associate their IP addresses, the solution is to change the 'Main area of AD' field in the configuration area for the short name of the domain. This name is visible in the message in the logs.
After you change this field, save the configuration of the Kingdom and to ensure that the user download continues to work as expected.
Kind regards
Aastha Bhardwaj
Rate if this is useful!
-
We recently got a quote for a pair of HA 5506 with firepower and was surprised to see that it included a virtual machine for the FireSight management application. I heard of some people that the virtual machine is not necessary and that we can run on the SAA management application. Is this true and if so how well it will happen. There is a lot of benefit to the virtual machine running on a host ESX versus on the ASA?
The ASA will be used for web traffic in general of the staff of the Office out to the internet. There will be no internal sites with NAT static is configured on this ASA.
My recommendation is that fire power AMPS-based management is only good for lab or single device installations.
Even on a basis HA pair, if you use ASSISTANT Deputy Ministers approach, you must replicate each change on both units since they have no knowledge of the other and do not synchronize the configuration of firepower as the base ASA fact...
-
Cisco Firesight time management center
Hello
Is it possible to change the time on Cisco Firesight Management Center after that I'm done with the initial configuration. I need to change the time zone again as it has been set to an incorrect value, and I can't find an option to do so. We manage the system on an ESXi and I can access the CLI console as well
Kind regards
IT is defined by the user (top right of the CMF GUI)) > user preferences > time zone preference.
-
Predefine FireSight Virtual Center of defence...
I'm looking for redundant configuration ASA5525-x firewall with IPS FireSight to my client.
I will be set up in advance in my area of lab (as well as other components of the project) and I want to assure you that I have questions to the production environment of the VCC time I install. In particular, I don't want to make it work in my lab and find that the permit has been invalidated because I put the VCC on another host/cluster of VMware.
What I intend to do, is put everything and activate the license on my host VMware test and export the VDC to an OVF for deployment in the production environment. So I expect to connect everything up and deploy the OVF as a fully functional guest.
Can anyone confirm that it is a valid procedure. I think it should be, but I won't be surprised when I'm in front of my client.
Thank you...
I said be a Cisco SE you can do. I haven't tried and have my doubts that it is always the case.
My reasoning is that a CME license key is derived from the MAC address of the server. There are some ways to move a virtual machine which do not transmit the original MAC address.
I could not test it, but I think that if MAC address the virtual machine changes, associated licenses is not valid.
An alternative is to export only the policies that you generate in the laboratory and install with licenses newly issued on the VM newly built in the customer environment.
-
The traffic load between the power of Cisco ASA and FireSight Management Center fire
Hi all
I have a stupid question to ask.
Can I know what is the traffic load and the e/s flow between firepower Cisco ASA and FireSight Management Center?
Currently working on a project, client require such information to adapt to their network. Tried to find in the document from Cisco, but no luck.
Maybe you all have no idea to provide.
It varies depending on the number of events reported from the module to the CSP. No event = only health controls and policy changes are exchanged. 10,000 events per second = much more traffic.
Generally it is not a heavy load, however.
-
FireSight: How to display the list of blocked Intrusions
Hello
Among the many and useful menus/options available under FireSight (used to run the IPS of firepower into the ASA Firewalls), is 1 which will display a list of detected intrusions that were blocked by the power of fire?
Thanks for all your comments
Yes you can. Come on in analysis > Intrusions > events > change search. This will load a new window and there you can see a field called "Inline result." Here you can assign the result ""dropped, would have lowered, etc. "you can save this search and use it later."
Thank you for evaluating useful messages!
-
I changed my Apple ID to my new married name, but somewhere it is still hanging on to my old details
After getting married, I updated my Apple ID with my new name and e-mail address. This well it worked and I can access iTunes etc but my iCloud storage is almost full and I tried to connect to improve it but it still shows my old email address and name. I can't connect to it knowing that I replaced all the details so the old account doesn't really exist, but it will not display my new address. I went in my Apple ID to see where he was always picking up the old name/e-mail since but there just my new details (as it should) and I don't see where it's always the old details. How to forget my old data. I have almost no storage iCloud and have no way to resolve this issue now.
Thank you very much
When you update the primary e-mail address on an account, you must then sign and return in everywhere that the account is used: what to do when you have changed your Apple ID email address or password - Apple support
If you are being invited for the password of the account when you try to disconnect from the iCloud on the device and the computer test: If iCloud asks you the password to your Apple ID - Apple Support previous
-
I need to change my security issues and said we do not have enough information to reset your
I need to change my security but said Questions we have insufficient information to reset security of your apple ID questions.my is [email protected] I want to slove this problem please help me
You should contact the account of Apple security team. To join, click here and choose a method; If this page does not list one for your country or if you are unable to call, complete and submit this form.
(145174)
-
How to change the name of iWatch
For some reason when I bought the new iPhone 7 and complete matching, it has the wrong name. I must say my name and my husband. I have looked at everything in the watch/phone and may not know how to solve this problem. Anyone has any ideas on how to get my name back?
Thank you
J
Hello
On your iPhone, in the application of the watch, go to: Watch My > General > topic > name - change the name as desired.
Maybe you are looking for
-
Is FF 29.1 that FF 29,0 where we users lose control of our browser and can not customize to our liking. If Yes, how do I stop the noise annoying ups tell me to install because of security issues or not I stay with 28.0 FF. Thank you people for any an
-
Satellite Pro A100 power problems
Help, please. I have a laptop A100 pro. When I press the power on button the battery flashing orange. And after about 5 seconds, the light goes dead again. No other light is on. What can be the reason for this?
-
Photosmart premium C309g-m: copy, more old C309g-m
I did no changes to computor or printer, but now it won't copy. I had scan the document in computor then print it, which worked.
-
theres no digital 8 digit PIN them on my linksys router. Is there a way to turn it?
Hi, I want to protect my computer by setting up a new connection or network. I thought I'd finally to succeed in a computer task... no luck. I am required to type a digital PIN number 8 digits non-existent. Someone at - it ideas?
-
How can I get my iphone envy 5535
I just got a 5535 desire but can not understand how to print from my iphone 4s, thank you