Configuring High Availability
License:
Any
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
To ensure the continuity of operations, the high availability feature allows you to designate redundant Defense Centers to manage devices. Event data streams from managed devices to both Defense Centers and certain configuration elements are maintained on both Defense Centers. If one Defense Center fails, you can monitor your network without interruption using the other Defense Center.
See the following sections for more information about setting up high availability:
Using High Availability
License:
Any
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
DC1500s, DC2000s, DC3500s, and DC4000s support high availability configurations; DC750s and the virtual Defense Centers do not. Cisco
strongly
recommends that both Defense Centers in a high availability pair be the same model. Do
not
attempt to set up high availability between different Defense Center models.
Although Defense Centers in high availability mode are designated
primary
and
secondary
, you can make policy or other changes to either Defense Center. However, Cisco recommends that you change configurations
only
on the primary Defense Center and that you keep your secondary Defense Center as a backup.
Defense Centers periodically update each other on changes to their configurations, and any change you make to one Defense Center should be applied on the other Defense Center within ten minutes. (Each Defense Center has a five-minute synchronization cycle, but the cycles themselves could be out of synchronization by as much as five minutes, so changes appear within two five-minute cycles.) During this ten-minute window, configurations may appear differently on the Defense Centers.
For example, if you create a policy on your primary Defense Center and apply it to a device that is also managed by your secondary Defense Center, the device could contact the secondary Defense Center before the Defense Centers contact each other. Because the device has a policy applied to it that the secondary Defense Center does not recognize, the secondary Defense Center displays a new policy with the name “unknown” until the Defense Centers synchronize.
Also, if you make conflicting policy or other changes to both Defense Centers within the same window between Defense Centers syncs, the last change you make takes precedence, regardless of the designations of the Defense Center as primary and secondary.
Before you establish a high availability pair, note the following prerequisites:
-
Make sure both Defense Centers have a user account named
admin
with Administrator privileges. These accounts must use the same password.
-
Make sure that other than the
admin
account, the two Defense Centers do not have user accounts with identical user names. Remove or rename one of the duplicate user accounts before you establish high availability.
Note that Defense Centers configured as a high availability pair do not need to be on the same trusted management network, nor do they have to be in the same geographic location.
To ensure continuity of operations, both Defense Centers in a high availability pair must have Internet access; see Internet Access Requirements. For specific features, the primary Defense Center contacts the Internet, then shares information with the secondary during the synchronization process. Therefore, if the primary fails, you should promote the secondary to Active as described in Monitoring and Changing High Availability Status.
For more information on which configurations are shared or not shared between members of a high availability pair, see:
Shared Configurations
License:
Any
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
Defense Centers in a high availability pair share the following information:
-
user account attributes, authentication configurations, and custom user roles
-
authentication objects for user accounts and user awareness, as well as the users and groups that are available to user conditions in access control rules
-
custom dashboards
-
custom workflows and tables
-
device attributes, such as the device’s host name, where events generated by the device are stored, and the group in which the device resides
-
access control, SSL, network analysis, intrusion, file, and network discovery policies
-
local intrusion rules
-
custom intrusion rule classifications
-
network discovery policies
-
user-defined application protocol detectors and the applications they detect
-
activated custom fingerprints
-
host attributes
-
network discovery user feedback, including notes and host criticality; the deletion of hosts, applications, and networks from the network map; and the deactivation or modification of vulnerabilities
-
correlation policies and rules, compliance white lists, and traffic profiles
-
change reconciliation snapshots and report settings
-
intrusion rule, geolocation database (GeoDB), and vulnerability database (VDB) updates
-
reusable objects, including variable sets, associated with any of the above configurations
Health and System Policies
License:
Any
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
Health and system policies for Defense Centers and managed devices are shared in high availability pairs. Allow enough time to ensure that information about health policies, modules, blacklists, is synchronized on a newly activated Defense Center.
Note Although system policies are shared by Defense Centers in a high availability pair, they are not automatically applied. If you want identical system policies on both Defense Centers, apply the policy after it synchronizes.
Defense Centers in a high availability pair share the following system and health policy information:
-
system policies
-
system policy configurations (what policy is applied where)
-
health policies
-
health monitoring configurations (what policy is applied where)
-
which appliances are blacklisted from health monitoring
-
which appliances have individual health monitoring policies blacklisted
Correlation Responses
License:
Any
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
Although Defense Centers share correlation policies, rules, and responses, Defense Centers do not share the
associations
between correlation rules and their responses. This is to avoid launching duplicate responses when correlation policies are violated.
You must upload and install any custom remediation modules and configure remediation instances on your secondary Defense Center before remediations are available to associate with correlation policies. If the primary Defense Center fails, not only should you quickly associate your correlation policies with the appropriate responses and remediations on the secondary Defense Center, but you must also use the web interface on the secondary Defense Center to promote it to Active to maintain continuity of operations. For more information, see Monitoring and Changing High Availability Status. For more information about correlation responses, see Creating Correlation Policies and Creating Remediations.
When you restore your primary Defense Center after a failure, if you created associations between rules or white lists and their responses and remediations on the secondary Defense Center, make sure you remove the associations so responses and remediations will only be generated by the primary Defense Center.
Licenses
License:
Any
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
Defense Centers in a high availability pair do
not
share licenses. You must add equivalent licenses to each member of the pair. For more information, see Understanding Licensing.
URL Filtering and Security Intelligence
License:
URL Filtering or Protection
Supported Devices:
Series 3, virtual, X-Series, ASA FirePOWER
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
URL filtering and Security Intelligence configurations and information are synchronized between Defense Centers in a high availability deployment. However, only the primary Defense Center downloads URL category and reputation data and for updates to Security Intelligence feeds.
If the primary Defense Center fails, not only must you make sure that the secondary Defense Center can access the URL filtering cloud and any configured feed sites, but you must also use the web interface on the secondary Defense Center to promote it to Active. For information, see Monitoring and Changing High Availability Status.
Cloud Connections and Malware Information
License:
Any or Malware
Supported Devices:
Any except Series 2 or X-Series
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
Although they share file policies and related configurations, Defense Centers in a high availability pair share neither Collective Security Intelligence Cloud connections nor malware dispositions. To ensure continuity of operations, and to ensure that detected files’ malware dispositions are the same on both Defense Centers, both primary and secondary Defense Centers must have access to the cloud. For more information, see Understanding Malware Protection and File Control.
User Agents
License:
FireSIGHT
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
User Agents can connect to up to five Defense Centers at a time. You should connect agents to the primary Defense Center. If the primary Defense Center fails, you must make sure that any agents can communicate with the secondary Defense Center. See Using User Agents to Report Active Directory Logins for more information.
Guidelines for Implementing High Availability
License:
Any
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
To take advantage of high availability, you must follow the guidelines in the following sections.
Primary and Secondary Defense Center Requirements
You must designate one Defense Center as the primary Defense Center and one as the secondary. When appliances switch from Active to Inactive (and vice versa), they retain their original primary and secondary designations.
Regardless of their designations as primary and secondary, both Defense Centers can be configured with policies, rules, managed devices, and so on before you set up high availability.
To avoid confusion, start with the secondary Defense Center in its original state. That is, you have not created or modified any policies, nor created any new rules, nor have you previously managed any devices with it. To make sure the secondary Defense Center is in its original state, restore it to factory defaults. Note that this also deletes event and configuration data from the Defense Center. For more information, see the
FireSIGHT System
Installation Guide
.
Version Requirements
Both Defense Centers must be running the same software and rule update version. Additionally, this software version must be the same or newer than the software version of managed devices.
Communication Requirements
By default, paired Defense Centers use port 8305/tcp for communications. You can change the port as described in Changing the Management Port.
The two Defense Centers do not need to be on the same network segment, but each of the Defense Centers must be able to communicate with the other and with the devices they share. That is, the primary Defense Center must be able to contact the secondary Defense Center at the IP address on the secondary Defense Center’s own management interface, and vice versa. In addition, each Defense Center must be able to contact the devices it manages or the devices must be able to contact the Defense Center.
Setting Up High Availability
License:
Any
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
To use high availability, you must designate one Defense Center as the primary and another Defense Center of the same model as the secondary. For information about editing the remote management communications between the two appliances, see Editing Remote Management.
Caution Cisco recommends that you change configurations
only on the primary Defense Center and that you use your secondary Defense Center as a backup.
Before you configure high availability, make sure you synchronize time settings between the Defense Centers you want to link. For details on setting time, see Synchronizing Time.
Depending upon the number of policies and custom standard text rules they have, it may take up to 10 minutes before all the rules and policies appear on both Defense Centers. You can view the High Availability page to check the status of the link between the two Defense Centers. You can also monitor the Task Status to see when the process completes. See Monitoring and Changing High Availability Status.
If one of the Defense Centers in the high availability pair must be reimaged, disable the high availability link first. After you reimage the Defense Center, re-establish the high availability pair and the data will synchronize from the existing Defense Center to the newly added Defense Center. If a Defense Center cannot be reimaged (for example, the appliance has failed), contact Support.
To set up high availability for two Defense Centers:
Access:
Admin
Step 1 Log into the Defense Center that you want to designate as the secondary Defense Center.
Step 2 Select
System > Local > Registration
.
The Registration page appears.
Step 3 Click
High Availability
.
The High Availability page appears.
Step 4 Click the
secondary Defense Center
option.
The Secondary Defense Center Setup page appears.
Step 5 Type the hostname or IP address of the primary Defense Center in the
Primary DC Host
text box.
Caution Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses.
Note that you can leave the
Primary DC Host
field empty if the management host does not have a routable address. In that case, use both the
Registration Key
and the
Unique NAT ID
fields.
Step 6 Type a one-time-use registration key in the
Registration Key
text box
Step 7 Optionally, in the
Unique NAT ID
field, type a unique alphanumeric registration ID that you want to use to identify the primary Defense Center. Do not see Managing Stacked Devices. See Working in NAT Environments on 4-8 for more information.
Step 8 Click
Register
.
A success message appears, and the Peer Manager page appears, showing the current state of the secondary Defense Center.
Step 9 Using an account with Admin access, log into the Defense Center that you want to designate as the primary.
Step 10 Select
System > Local > Registration
.
The Registration page appears.
Step 11 Click
High Availability
.
The High Availability page appears.
Step 12 Click the
primary Defense Center
option.
The Primary Defense Center Setup page appears.
Step 13 Type the hostname or IP address of the secondary Defense Center in the
Secondary DC Host
text box.
Caution Make sure you use hostnames rather than IP addresses if your network uses DHCP to assign IP addresses.
Step 14 Type the same one-time-use registration key in the
Registration Key
text box you used in step
6
.
Step 15 If you used a unique NAT ID on the secondary Defense Center, type the same registration ID that you used in step
7
in the
Unique NAT ID
text box.
Step 16 Click
Register
.
A success message appears, and the Peer Manager page appears, showing the current state of the primary Defense Center.
Monitoring and Changing High Availability Status
License:
Any
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
After you have identified your primary and secondary Defense Centers, from either appliance in the high availability pair you can view information about the local Defense Center and its peer, including:
-
the peer IP address or host name
-
the peer product model
-
the peer software version
-
the peer operating system
-
the amount of time since the members of the high availability pair last synchronized
-
the role and status of the local appliance (Active & Primary, Inactive & Primary, Inactive & Secondary, or Active & Secondary)
You can also use the High Availability page to change the roles of the Defense Centers if the primary Defense Center fails. Because the system restricts the following functionality to the primary Defense Center, if that appliance fails, you must promote the secondary Defense Center to Active:
To check high availability status:
Access:
Admin
Step 1 Log into one of the Defense Centers that you linked using high availability.
Step 2 Select
System > Local > Registration
.
The Registration page appears.
Step 3 Click
High Availability
.
The High Availability page appears.
Step 4 Under
High Availability Status
, you can view the following information about the Defense Centers in the high availability pair:
-
the peer IP address or host name
-
the peer product model
-
the peer software version
-
the peer operating system
-
the amount of time since the members of the high availability pair last synchronized
-
the role and status of the local appliance (Active & Primary, Inactive & Primary, Inactive & Secondary, or Active & Secondary)
-
the option to switch roles between the two Defense Centers
Step 5 The two Defense Centers automatically synchronize within ten minutes (five minutes for each Defense Center) after any action that affects a shared feature. For example, if you create a new policy on one Defense Center, it is automatically shared with the other Defense Center within 5 minutes. However, if you want to synchronize the policy immediately, click
Synchronize
.
Note If you delete a device from a Defense Center configured in a high availability pair and intend to re-add it, Cisco recommends that you wait at least five minutes before adding the device back. This interval ensures that the high availability pair resynchronizes first. If you do not wait five minutes, it may take more than one synchronization cycle to add the device to both Defense Centers.
Step 6 Click
Switch Roles
to change the local role from Active to Inactive, or Inactive to Active.
With the Primary or Secondary designation unchanged, the roles are switched between the two peers.
Step 7 Click
Peer Manager
in the toolbar.
The Peer Manager page appears.
You can view the following information:
-
the IP address of the other Defense Center in the high availability pair
-
the status, registered or unregistered, of the communications link
-
the state, enabled or disabled, of the high availability pair
For information about editing the remote management communications between the two appliances, see Editing Remote Management.
Disabling High Availability and Unregistering Devices
License:
Any
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
If you want to remove one of the Defense Centers from a high availability pair, you must first disable the high availability link between them.
To disable a high availability pair:
Access:
Admin
Step 1 Log into one of the Defense Centers in the high availability pair.
Step 2 Select
System > Local > Registration
.
The Registration page appears.
Step 3 Click
High Availability
.
The High Availability page appears.
Step 4 Select one of the following options from the
Handle Registered Devices
drop-down list:
-
To control all the managed devices with the Defense Center where you are accessing this page, select
Unregister devices on the other peer
.
-
To control all the managed devices with the other Defense Center, select
Unregister devices on this peer
.
-
To stop managing the devices altogether, select
Unregister devices on both peers
.
Step 5 Click
Break High Availability
.
After you answer the prompt
Do you really want to Break High Availability?
by selecting
OK
, high availability is disabled and any managed devices are deleted from the Defense Centers according to your selection.
You can enable high availability with a different Defense Center as described in Setting Up High Availability.
Pausing Communication Between Paired Defense Centers
License:
Any
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
If you want to temporarily disable high availability, you can disable the communications channel between the Defense Centers.
To disable the communications channel for a high availability pair:
Access:
Admin
Step 1 Click
Peer Manager
.
The Peer Manager page appears.
Step 2 Click the slider to disable the communications channel between the two Defense Centers.
For information about editing the remote management communications between the two appliances, see Editing Remote Management.
Restarting Communication Between Paired Defense Centers
License:
Any
Supported Defense Centers:
DC1000, DC1500, DC2000, DC3000, DC3500, DC4000
If you temporarily disabled high availability, you can enable the communications channel between the Defense Centers to restart high availability.
To enable the communications channel for a high availability pair:
Access:
Admin
Step 1 Click
Peer Manager
.
The Peer Manager page appears.
Step 2 Click the slider to enable the communications channel between the two Defense Centers.
For information about editing the remote management communications between the two appliances, see Editing Remote Management.
Working with Devices
License:
Any
You can use the Defense Center to manage the full range of devices that are a part of the FireSIGHT System. When you manage a device, you set up a two-way, SSL-encrypted communication channel between the Defense Center and the device. The Defense Center uses this channel to send information to the device about how you want to analyze and manage your network traffic.
As the device evaluates the traffic, it generates events and sends them to the Defense Center using the same channel.
See the following sections for more information about managing devices:
Understanding the Device Management Page
License:
Any
The Device Management page provides you with a range of information and options that you can use to manage your registered devices, device clusters, and device groups. The page displays a list of all the devices currently registered on the Defense Center.
You can use the
sort-by
drop-down list to sort the appliance list according to your needs. Devices are displayed in the appliance list grouped by the category you select. You can sort by:
For device groups, you can expand and collapse the list of devices in the group. The list appears collapsed by default.
See the following table for more information about the appliance list.
Table 4-1 Appliance List Fields
|
|
Name
|
A list of the hostname, IP address, device model, and software version for each device. The status icon to the left of the appliance indicates its current health status.
|
License Type
|
The licenses that are enabled on the managed device.
|
Health Policy
|
The currently applied health policy for the device. You can click the name of the health policy to view a read-only version of the policy. See Editing Health Policies for information about modifying an existing health policy.
|
System Policy
|
The currently applied system policy for the device. You can click the name of the system policy to view a read-only version of the policy. See Managing System Policies for more information.
|
Access Control Policy
|
A link to the currently applied access control policy. See Managing Access Control Policies.
|
See the following sections for more information:
Configuring Remote Management
License:
Any
Before you can manage one FireSIGHT System appliance with another, you must set up a two-way, SSL-encrypted communication channel between the two appliances. The appliances use the channel to share configuration and event information. High availability peers also use the channel, which is by default on port 8305/tcp.
You must configure remote management on the appliance that will be managed, that is, on the device that you want to manage with a Defense Center. After you configure remote management, you can use the managing appliance’s web interface to add the managed appliance to your deployment.
Note that the procedure in this section explains how to configure remote management on FirePOWER physical appliances.
To enable communications between two appliances, you must provide a way for the appliances to recognize each other. There are three criteria the FireSIGHT System uses when allowing communications:
-
the hostname or IP address of the appliance with which you are trying to establish communication
In NAT environments, even if the other appliance does not have a routable address, you must provide a hostname or an IP address either when you are configuring remote management, or when you are adding the managed appliance.
-
a self-generated alphanumeric registration key up to 37 characters in length that identifies the connection
-
an optional unique alphanumeric NAT ID that can help the FireSIGHT System establish communications in a NAT environment
The NAT ID
must
be unique among all NAT IDs used to register managed appliances. For more information, see Working in NAT Environments.
When you register a managed device to a Defense Center, you can select an access control policy to apply to the device. However, if the device is incompatible with the policy, the policy apply fails. This incompatibility could occur for multiple reasons, including licensing mismatches, model restrictions, passive vs inline issues, and other misconfigurations. If the initial access control policy apply fails, the initial network discovery policy apply also fails. After you resolve the issue that caused the failure, you must manually apply access control and network discovery policies to the device. For more information about issues that could cause access control policy apply to fail, see Troubleshooting Access Control Policies and Rules.
To configure remote management of the local appliance:
Access:
Admin
Step 1 On the web interface for the device you want to manage, select
System > Local > Registration
.
The Remote Management page appears.
Caution Cisco
strongly recommends that you not change the value for the management port. If you change it, you must also change it for all appliances in your deployment that need to communicate with each other. For more information, see
Changing the Management Port.
Step 2 Click
Add Manager
.
The Add Remote Management page appears.
Step 3 In the
Management Host
field, type the IP address or the hostname of the appliance that you want to use to manage this appliance.
The hostname is the fully qualified domain name or the name that resolves through the local DNS to a valid IP address.
In a NAT environment, you do not need to specify an IP address or hostname here if you plan to specify it when you add the managed appliance. In this case, the FireSIGHT System uses the NAT ID you will provide later to identify the remote manager on the managed appliance’s web interface.
Caution Use a hostname rather than an IP address if your network uses DHCP to assign IP addresses.
Step 4 In the
Registration Key
field, type the registration key that you want to use to set up communications between appliances.
Step 5 For NAT environments, in the
Unique NAT ID
field, type a
unique
alphanumeric NAT ID that you want to use to set up communications between appliances.
Step 6 Click
Save
.
After the appliances confirm that they can communicate with each other, the Pending Registration status appears.
Step 7 Use the managing appliance’s web interface to add this appliance to your deployment.
For more information, see Adding Devices to the Defense Center.
Note When enabling remote management of a device, in some high availability deployments that use NAT, you may also need to add the secondary Defense Center as a manager. For more information, contact Support.
Editing Remote Management
License:
Any
Use the following procedure to edit the hostname or IP address of the managing appliance. You can also change the display name of the managing appliance, which is a name only used within the context of the FireSIGHT System. Although you can use the hostname as the display name of the appliance, entering a different display name does not change the hostname.
Note that you cannot add devices running software more than one major version lower than the Defense Center. For example, if your Defense Center is running Version 5.4.0, you can add devices running 5.3.x or higher but not devices running 5.2.x.
Tip You can click the slider to enable or disable management of the managed device. Disabling management blocks the connection between the Defense Center and the device, but does not delete the device from the Defense Center. If you no longer want to manage a device, see Deleting Devices.
To edit remote management:
Access:
Admin
Step 1 On the web interface for the device, select
System > Local > Registration
.
The Remote Management page appears.
Step 2 Click the edit icon (
) next to the manager for which you want to edit remote management settings.
The Edit Remote Management page appears.
Step 3 In the
Name
field, change the display name of the managing appliance.
Step 4 In the
Host
field, change the IP address or the hostname of the managing appliance.
The hostname is the fully qualified domain name or the name that resolves through the local DNS to a valid IP address.
Step 5 Click
Save
.
Your changes are saved.
Changing the Management Port
License:
Any
FireSIGHT System appliances communicate using a two-way, SSL-encrypted communication channel, which by default is on port 8305.
Although Cisco
strongly
recommends that you keep the default setting, if the management port conflicts with other communications on your network, you can choose a different port. Usually, changes to the management port are made during installation of the FireSIGHT System.
Caution If you change the management port, you must change it for all appliances in your deployment that need to communicate with each other.
To change the management port:
Access:
Admin
Step 1 On the web interface for the device, select
System > Local > Configuration
.
The Information page appears.
Step 2 Click
Network
.
The Network Settings page appears.
Step 3 In the
Remote
Management Port
field, enter the port number that you want to use.
Step 4 Click
Save
.
The management port is changed.
Step 5 Repeat this procedure for every appliance in your deployment that must communicate with this appliance.
Adding Devices to the Defense Center
License:
Any
When you manage a device, you set up a two-way, SSL-encrypted communication channel between the Defense Center and the device. The Defense Center uses this channel to send information about how you want to analyze your network traffic to the device. As the device evaluates the traffic, it generates events and sends them to the Defense Center using the same channel. For more information about configuring this channel, see Configuring Remote Management.
Note that you cannot add devices running software more than one major version lower than the Defense Center. For example, if your Defense Center is running Version 5.4, you can add devices running Version 5.3.x or higher but not devices running Version 5.2.x.
Before you manage a device with a Defense Center, you must make sure that the network settings are configured correctly on the device. This is usually completed as part of the installation process. See Configuring Management Interfaces for more information.
Note that if you registered a Defense Center and a device using IPv4 and want to convert them to IPv6, you must delete and re-register the device.
When you register a managed device to a Defense Center, you can select an access control policy to apply to the device. However, if the device is incompatible with the policy, the policy apply fails. This incompatibility could occur for multiple reasons, including licensing mismatches, model restrictions, passive vs inline issues, and other misconfigurations. If the initial access control policy apply fails, the initial network discovery policy apply also fails. After you resolve the issue that caused the failure, you must manually apply access control and network discovery policies to the device. For more information on issues that could cause access control policy apply to fail, see Troubleshooting Access Control Policies and Rules.
When you register a device cluster or device stack, although you can select licenses, these licenses cannot be applied upon device registration. This ensures that the cluster or stack is running the proper licenses to prevent it from entering a degraded state with mismatched licenses. After registration, you can evaluate the licenses in either the general properties (cluster) or stack properties (stack) of the Device Management page. For more information, see Establishing Device Clusters or Establishing Device Stacks.
When you register a Series 2 device, although you can select licenses, any licenses you select are not applied upon device registration. Series 2 devices automatically have Protection capabilities, with the exception of Security Intelligence filtering. You cannot disable these capabilities, nor can you apply other licenses to a Series 2 device.
Tip To modify the detailed configuration of a device, click the edit icon () next to the device. See Editing Device Configuration and Configuring Sensing Interfaces for more information.
To add a device to a Defense Center:
Access:
Admin/Network Admin
Step 1 Configure the device to be managed by the Defense Center.
For FirePOWER devices, use the procedure in Configuring Remote Management. After the device confirms communication with the Defense Center, the Pending Registration status appears.
For virtual devices, Cisco NGIPS for Blue Coat X-Series, and ASA FirePOWER devices, configure remote management using the device’s command line interface (CLI).
Note In some high availability deployments where network address translation (NAT) is used, you may also need to add the secondary Defense Center as a manager. For more information, contact Support.
Step 2 On the web interface for the Defense Center, select
Devices > Device Management
.
The Device Management page appears.
Step 3 From the
Add
drop-down menu, select
Add Device
.
The Add Device pop-up window appears.
Step 4 In the
Host
field, type the IP address or the hostname of the device you want to add.
The hostname of the device is the fully qualified domain name or the name that resolves through the local DNS to a valid IP address.
Note that in a NAT environment, you may not need to specify the IP address or host name of the device, if you already specified the IP address or host name of the Defense Center when you configured the device to be managed by the Defense Center. For more information, see Working in NAT Environments.
Caution Use a hostname rather than an IP address if your network uses DHCP to assign IP addresses.
Step 5 In the
Registration Key
field, type the same registration key that you used when you configured the device to be managed by the Defense Center.
Step 6 Optionally, add the device to a device group by selecting the group from the
Group
drop-down list.
For more information about device groups, see Managing Device Groups.
Step 7 From the
Access Control Policy
drop-down list, select an initial policy to apply to the device:
-
The
Default Access Control
policy blocks all traffic from entering your network.
-
The
Default Intrusion Prevention
policy allows all traffic that is also passed by the Balanced Security and Connectivity intrusion policy.
-
The
Default Network Discovery
policy allows all traffic, which is inspected by network discovery only.
-
You can select any existing user-defined access control policy.
For more information, see Managing Access Control Policies.
Step 8 Select licenses to apply to the device. Note that:
-
Control, Malware, and URL Filtering licenses require a Protection license.
-
You cannot enable a VPN license on a virtual device, Cisco NGIPS for Blue Coat X-Series, or ASA FirePOWER device.
-
You cannot enable a Control license on Cisco NGIPS for Blue Coat X-Series.
-
Although you can enable a Control license on a virtual device or ASA FirePOWER device, these devices do
not
support fast-path rules, switching, routing, stacking, or clustering.
-
You cannot change the license settings on clustered devices.
-
For stacked devices, you enable or disable the licenses for the stack on the Stack page of the appliance editor.
-
When you register a Series 2 device, any licenses you select are not applied upon device registration. Series 2 devices automatically have Protection capabilities, with the exception of Security Intelligence filtering. You cannot disable these capabilities, nor can you apply other licenses to a Series 2 device.
For more information, see Licensing the FireSIGHT System.
Step 9 If you used a NAT ID to identify the device when you configured it to be managed by the Defense Center, expand the
Advanced
section and enter the same NAT ID in the
Unique NAT ID
field.
Step 10 To allow the device to transfer packets to the Defense Center, select the
Transfer Packets
check box.
This option is enabled by default. If you disable it, you completely prohibit packet transfer to the Defense Center.
Step 11 Click
Register
.
The device is added to the Defense Center. Note that it may take up to two minutes for the Defense Center to verify the device’s heartbeat and establish communication.
Applying Changes to Devices
License:
Any
After you make changes to the configuration of a device, a device cluster, or a device stack, you must apply the changes before they take effect throughout the system. Note that the device must have unapplied changes or this option remains disabled.
Tip You can apply device changes from the Device Management page or from the Interfaces tab of the appliance editor.
To apply changes to the device:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device where you want to apply changes, click the apply icon (
).
Step 3 When prompted, click
Apply
.
The device changes are applied.
Tip Optionally, from the Apply Device Changes dialog box, click View Changes. The Device Management Revision Comparison Report page appears in a new browser window. For more information, see Using the Device Management Revision Comparison Report.
Step 4 Click
OK
.
You are returned to the Device Management page.
Using the Device Management Revision Comparison Report
License:
Any
A device management comparison report allows you to view the changes you have made to an appliance before you apply them. The report displays all differences between the current appliance configuration and the proposed appliance configuration. This gives you an opportunity to discover any potential configuration errors.
To compare appliance changes before applying them:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the appliance where you want to apply changes, click the apply icon (
).
The Apply Device Changes pop-up window appears. Note that the appliance must have unapplied changes or the apply icon remains disabled.
Step 3 Click
View Changes
.
The Device Management Revision Comparison Report page appears in a new window.
Step 4 Click
Previous
and
Next
to scroll through the differences between the current appliance configuration and the proposed appliance configuration.
Step 5 Optionally, click
Comparison Report
to produce a PDF version of the report.
Deleting Devices
License:
Any
If you no longer want to manage a device, you can delete it from the Defense Center. Deleting a device severs all communication between the Defense Center and the device. To manage the device again at a later date, you must re-add it to the Defense Center.
Note If you delete a device from a Defense Center configured in a high availability pair and want to re-add it, Cisco recommends that you wait at least five minutes before re-adding it. This interval ensures that the high availability pair resynchronizes so that both Defense Centers recognize the deletion. If you do not wait five minutes, it may take more than one synchronization cycle to add the device to both Defense Centers.
To delete a device from the Defense Center:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device you want to delete, click the delete icon (
).
When prompted, confirm that you want to delete the device. Communication between the device and the Defense Center is discontinued and the device is deleted from the Device Management page. If the device has a system policy that causes it to receive time from the Defense Center via NTP, the device reverts to local time management.
Clustering Devices
License:
Control
Supported Devices:
Series 3
With device clustering (also called device high availability), you can establish redundancy of networking functionality and configuration data between two peer devices or two peer device stacks. See Managing Stacked Devices for more information about stacking devices.
You achieve configuration redundancy by clustering two peer devices or two peer device stacks as a single logical system for policy applies, system updates, and registration. The system automatically synchronizes other configuration data.
Clustering Requirements
Before you can configure a device cluster, both devices or device stack primary members must be the same model and have identical copper or fiber interfaces. Both devices or device stacks must also be running the same software and have the same licenses. Device stacks must have identical hardware configurations, except for an installed malware storage pack. For example, you can cluster a 3D8290 with a 3D8290; none, one, or all devices in either stack might have a malware storage pack. If the devices are targeted by NAT policies, both peers must have the same NAT policy. After you cluster the devices, you cannot change the license options for individual clustered devices, but you can change the license for the entire cluster. See Establishing Device Clusters for more information.
Caution Do not attempt to install a hard drive that was not supplied by Cisco in your device. Installing an unsupported hard drive may damage the device. Malware storage pack kits are available for purchase
only from Cisco, and are for use
only with 8000 Series devices. Contact Support if you require assistance with the malware storage pack. See the
FireSIGHT System Malware Storage Pack Guide for more information.
Clustering Failover and Maintenance Mode
With a device cluster, the system fails over either manually or automatically. You manually trigger failover by placing one of the clustered devices or stacks in maintenance mode. For more information about maintenance mode, see Placing a Clustered Device into Maintenance Mode.
Automatic failover occurs after the health of the active device or stack becomes compromised, during a system update, or after a user with Administrator privileges shuts down the device. Automatic failover also occurs after an active device or device stack experiences NMSB failure, NFE failure, hardware failure, firmware failure, critical process failure, a disk full condition, or link failure between two stacked devices. If the health of the backup device or stack becomes similarly compromised, the system does not fail over and enters a degraded state. The system also does not fail over when one of the devices or device stacks is in maintenance mode. Note that disconnecting the stacking cable from an active stack sends that stack into maintenance mode. Shutting down the secondary device in an active stack also sends that stack into maintenance mode.
Note If the active cluster member goes into maintenance mode and the active role fails over to the other cluster member, when the original active cluster member is restored to normal operation it does not automatically reclaim the active role.
Applying Policies and Updates
When you apply policies, you apply them to the device cluster instead of the individual devices or stacks. If the policy fails, the system does not apply it to either device or stack. The policy first applies to the active device or stack and then the backup, so that the cluster always has one peer handling network traffic.
Caution When you apply policies, resource demands may result in a small number of packets dropping without inspection. Additionally, applying some configurations requires the Snort process to restart, which temporarily interrupts traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and how it handles traffic. On 7010, 7020, and 7030 managed devices, deploying configuration changes can take up to five minutes. See
Configurations that Restart the Snort Process and
How Snort Restarts Affect Traffic.
Clustered devices receive updates as a single entity rather than individual devices or stacks. When the update is started, the system first applies it to the backup device or stack, which goes into maintenance mode until any necessary processes restart and the device begins processing traffic again. The system then applies the update to the active device or stack, which follows the same process.
Achieving Redundancy Without Clustering Devices
In most cases, you can achieve Layer 3 redundancy without clustering devices by using the Cisco Redundancy Protocol (SFRP). SFRP allows devices to act as redundant gateways for specified IP addresses. With network redundancy, you configure two devices or stacks to provide identical network connections, ensuring connectivity for other hosts on the network. For more information about SFRP, see Configuring SFRP.
You determine how to configure device high availability depending on your FireSIGHT System deployment: passive, inline, routed, or switched. You can also deploy your system in multiple roles at once. Of the four deployment types, only passive deployments require that you cluster devices or stacks to provide redundancy. You can establish network redundancy for the other deployment types with or without device clusters. The following sections provide a brief overview of high availability in each deployment type.
Passive Deployment Redundancy
Passive interfaces are generally connected to tap ports on central switches, which allows them to analyze all of the traffic flowing across the switch. If multiple devices are connected to the same tap feed, the system generates events from each of the devices. When clustered, devices act as either active or backup, which allows the system to analyze traffic even in the event of a system failure while also preventing duplicate events.
Inline Deployment Redundancy
Because an inline set has no control over the routing of the packets being passed through it, it must always be active in a deployment. Therefore, redundancy relies on external systems to route traffic correctly. You can configure redundant inline sets with or without device clusters.
To deploy redundant inline sets, you configure the network topology so that it allows traffic to pass through only one of the inline sets while preventing circular routing. If one of the inline sets fails, the surrounding network infrastructure detects the loss of connectivity to the gateway address and adjusts the routes to send traffic through the redundant set.
Routed Deployment Redundancy
Hosts in an IP network must use a well-known gateway address to send traffic to different networks. Establishing redundancy in a routed deployment requires that routed interfaces share the gateway addresses so that only one interface handles traffic for that address at any given time. To accomplish this, you must maintain an equal number of IP addresses on a virtual router. One interface advertises the address. If that interface goes down, the backup interface begins advertising the address.
In non-clustered devices, you use SFRP to establish redundancy by configuring gateway IP addresses shared between multiple routed interfaces. You can configure SFRP with or without device clusters. You can also establish redundancy using dynamic routing such as OSPF or RIP.
Switched Deployment Redundancy
You establish redundancy in a switched deployment using the Spanning Tree Protocol (STP). STP is a protocol that manages the topology of bridged networks. It is specifically designed to allow redundant links to provide automatic backup for switched interfaces without configuring backup links. Devices in a switched deployment rely on STP to manage traffic between redundant interfaces. Two devices connected to the same broadcast network receive traffic based on the topology calculated by STP. See Configuring Advanced Virtual Switch Settings for more information about enabling STP.
Note Cisco strongly recommends that you enable STP when configuring a virtual switch that you plan to deploy in a device cluster.
See the following sections for more information about clustering devices and stacks:
Establishing Device Clusters
License:
Control
Supported Devices:
Series 3
Before you establish a device cluster, you must meet the following prerequisites:
-
Configure interfaces on each device or each primary device in a stack.
-
Each device or device stack primary member that you include in the cluster must be the same model and have identical copper or fiber interfaces.
-
Both devices or device stacks must have normal health status, run the same software, and have the same licenses. See Using the Health Monitor for more information. In particular, the devices cannot have hardware failures that would cause them to enter maintenance mode and trigger a failover.
-
You cannot mismatch devices and stacks in a cluster. You must cluster single devices with single devices or device stacks with device stacks that have identical hardware configurations, except for the presence of a malware storage pack. For example, you can cluster a 3D8290 with a 3D8290; none, one, or all devices in either stack might have an installed malware storage pack. For more information on the malware storage pack, see the
FireSIGHT System
Malware Storage Pack Guide
.
Caution Do not attempt to install a hard drive that was not supplied by Cisco in your device. Installing an unsupported hard drive may damage the device. Malware storage pack kits are available for purchase
only from Cisco, and are for use
only with 8000 Series devices. Contact Support if you require assistance with the malware storage pack. See the
FireSIGHT System Malware Storage Pack Guide for more information.
-
If the devices are targeted by NAT policies, both peers must have the same NAT policy.
When establishing a device cluster, you designate one of the devices or stacks as active and the other as backup. The system applies a merged configuration to the clustered devices. If there is a conflict, the system applies the configuration from the device or stack you designated as active.
After you cluster the devices, you cannot change the license options for individual clustered devices, but you can change the license for the entire cluster. See Editing Device Clusters for more information. If there are interface attributes that need to be set on switched interfaces or routed interfaces, the system establishes the cluster, but sets it to a pending status. After you configure the necessary attributes, the system completes the device cluster and sets it to a normal status.
After you establish clustered pair, the system treats the peer devices or stacks as a single device on the Device Management page. Device clusters display the cluster icon (
) in the appliance list. Any configuration changes you make are synchronized between the clustered devices. The Device Management page displays which device or stack in the cluster is active, which changes after manual or automatic failover. See Placing a Clustered Device into Maintenance Mode for more information about manual failover.
Removing registration of a device cluster from a Defense Center removes registration from both devices or stacks. You remove a device cluster from the Defense Center as you would an individual managed device. See Deleting Devices for more information.
You can then register the cluster on another Defense Center. To register clustered single devices, you add remote management to the active device in the cluster and then add that device to the Defense Center, which adds the entire cluster. To register clustered stacked devices, you add remote management to the primary device of the either stack and then add that device to the Defense Center, which adds the entire cluster. See Adding Devices to the Defense Center for more information.
After you establish a device cluster, you can configure a high availability link interface, as explained in Configuring HA Link Interfaces.
To cluster devices or device stacks:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 From the
Add
drop-down menu, select
Add Cluster
.
The Add Cluster pop-up window appears.
Step 3 In the
Name
field, type the name of the cluster.
You may enter alphanumeric characters and special characters, with the exception of the following characters, which are invalid: +, (, ), {, }, #, &, \, <, >, ?, ‘, and “.
Step 4 Select the
Active
device or stack for the cluster.
Step 5 Select the
Backup
device or stack for the cluster.
Step 6 Click
Cluster
.
The device cluster is added. This process takes a few minutes as the process synchronizes system data.
Editing Device Clusters
License:
Control
Supported Devices:
Series 3
After you establish a device cluster, most changes you make to the device configuration also change the configuration of the entire cluster.
You can view the status of the cluster by hovering your pointer over the status icon in the General section. You can also view which device or stack is the active peer and backup peer in the cluster.
See the following sections for more information:
To edit a device cluster:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device cluster where you want to edit the configuration, click the edit icon (
).
The Cluster page appears.
Step 3 Use the sections on the Cluster page to make changes to the clustered configuration as you would a single device configuration.
Configuring Individual Devices in a Cluster
License:
Control
Supported Devices:
Series 3
After you establish a device cluster, you can still configure some attributes for each device within the cluster. You can make changes to a clustered device just as you would to a single device.
See the following sections for more information:
To configure an individual device in a cluster:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device cluster where you want to edit the configuration, click the edit icon (
).
The Cluster page appears.
Step 3 Click
Devices
.
The Devices page appears.
Step 4 From the
Selected Device
drop-down list, select the device you want to modify.
Step 5 Use the sections on the Devices page to make changes to the individual clustered device as you would a single device.
Configuring Individual Device Stacks in a Cluster
License:
Control
Supported Devices:
Series 3
After you cluster a pair of stacked devices, the system limits the stack attributes that you can edit. You can edit the name of a stack in a clustered stack. In addition, you can edit the network configuration of the stack, as described in Configuring Interfaces on a Clustered Device.
To edit the name of a stack in a cluster:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device cluster where you want to edit the configuration, click the edit icon (
).
The Cluster page appears.
Step 3 Click
Stacks
.
The Stacks page appears.
From the
Selected Device
drop-down list, select the stack you want to modify.
Step 4 Next to the General section, click the edit icon (
).
The General pop-up window appears.
Step 5 In the
Name
field, type a new assigned name for the stack.
You may enter alphanumeric characters and special characters, with the exception of the following characters, which are invalid: +, (, ), {, }, #, &, \, <, >, ?, ‘, and “.
Step 6 Click
Save
.
The new name is saved. Note that your changes do not take effect until you apply the stack configuration; see Applying Changes to Devices for more information.
Configuring Interfaces on a Clustered Device
License:
Control
Supported Devices:
Series 3
You can configure interfaces on individual devices in a cluster. However, you must also configure an equivalent interface on the peer device in the cluster. For clustered stacks, you configure identical interfaces on the primary devices of the stacks. When you configure virtual routers, you select the stack where you want to configure the routers. See Configuring Virtual Routers for more information.
The Interfaces page of a clustered device includes the hardware and interfaces views that you find on an individual device. See Configuring Sensing Interfaces for more information.
To configure interfaces on a clustered device:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device cluster where you want to configure interfaces, click the edit icon (
).
The Cluster page appears.
Step 3 Click
Interfaces
.
The Interfaces page appears.
Step 4 From the
Selected Device
drop-down list, select the device you want to modify.
Step 5 Configure interfaces as you would on an individual device. See Configuring Sensing Interfaces for more information.
Switching the Active Peer in a Cluster
License:
Control
Supported Devices:
Series 3
After you establish a device cluster, you can manually switch the active and backup peer devices or stacks.
To switch the active peer in a cluster:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device cluster that you want to change the active peer, click the switch active peer icon (
).
The Switch Active Peer pop-up window appears.
Step 3 Click
Yes
to immediately make the backup device the active device in the cluster. Click
No
to cancel and return to the Device Management page.
Placing a Clustered Device into Maintenance Mode
License:
Control
Supported Devices:
Series 3
After you establish a cluster, you can manually trigger failover by placing one of the clustered devices or stacks into maintenance mode to perform maintenance on the devices. In maintenance mode, the system administratively takes down all interfaces except for the management interface. After maintenance is completed, you can re-enable the device to resume normal operation.
Note You should not place both members of a cluster into maintenance mode at the same time. Doing so will prevent that cluster from inspecting traffic.
To place a clustered device into maintenance mode:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the clustered device you want to place in maintenance mode, click the toggle maintenance mode icon (
).
The Confirm Maintenance Mode pop-up window appears.
Step 3 Click
Yes
to confirm maintenance mode or click
No
to cancel.
Step 4 Click the toggle maintenance mode icon (
) again to bring the device out of maintenance mode.
Replacing a Device in a Clustered Stack
License:
Control
Supported Devices:
Series 3
After you place a stack that is a cluster member into maintenance mode, you can replace a secondary device in the stack for another device. You can only select devices that are not currently stacked or clustered. The new device must follow the same guidelines for establishing a device stack. See Establishing Device Stacks.
To replace a device in a clustered stack:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the stack member you want to place into maintenance mode, click the toggle maintenance mode icon (
).
The Confirm Maintenance Mode pop-up window appears.
Step 3 Click
Yes
to confirm maintenance mode or click
No
to cancel.
Step 4 Click the replace device icon (
).
The Replace Device pop-up window appears.
Step 5 Select the
Replacement Device
from the drop-down list.
Step 6 Click
Replace
to replace the device or click
Cancel
to keep the current device and return to the Device Management page.
Step 7 Click the toggle maintenance mode icon (
) again to bring the stack immediately out of maintenance mode.
You do not need to reapply the device configuration.
Establishing Clustered State Sharing
License:
Control
Supported Devices:
Series 3
Clustered state sharing allows clustered devices or clustered stacks to synchronize as much state as necessary, so that if either device or stack fails, the other peer can take over with no interruption to traffic flow. Without state sharing, the following features may not fail over properly:
-
Strict TCP enforcement
-
Unidirectional access control rules
-
Blocking persistence
Note, however, that enabling state sharing slows system performance.
You must configure and enable HA link interfaces on both devices or the primary stacked devices in the cluster before you can configure clustered state sharing. 82xx Family and 83xx Family devices require a 10G HA link, while other model devices require a 1G HA link. See Configuring HA Link Interfaces for more information.
Note If clustered devices fail over, the system terminates all existing SSL-encrypted sessions on the active device. Even if you establish clustered state sharing, these sessions must be renegotiated on the backup device. If the server establishing the SSL session supports session reuse and the backup device does not have the SSL session ID, it cannot renegotiate the session. For more information, see Clustering Devices.
Strict TCP Enforcement
When you enable strict TCP enforcement for a domain, the system drops any packets that are out of order on TCP sessions. For example, the system drops non-SYN packets received on an unestablished connection. With state sharing, devices in the cluster allow TCP sessions to continue after failover without having to reestablish the connection, even if strict TCP enforcement is enabled. You can enable strict TCP enforcement on inline sets, virtual routers, and virtual switches.
Unidirectional Access Control Rules
If you have configured unidirectional access control rules, network traffic may match a different access control rule than intended when the system reevaluates a connection midstream after failover. For example, consider if you have a policy containing the following two access control rules:
Rule 1: Allow from 192.168.1.0/24 to 192.168.2.0/24
Without state sharing, if an allowed connection from 192.168.1.1 to 192.168.2.1 is still active following a failover and the next packet is seen as a response packet, the system denies the connection. With state sharing, a midstream pickup would match the existing connection and continue to be allowed.
Blocking Persistence
While many connections are blocked on the first packet based on access control rules or other factors, there are cases where the system allows some number of packets through before determining that the connection should be blocked. With state sharing, the system immediately blocks the connection on the peer device or stack as well.
When establishing clustered state sharing, you can configure the following options:
Enabled
Click the check box to enable state sharing. Clear the check box to disable state sharing.
Minimum Flow Lifetime
Specify the minimum time (in milliseconds) for a session before the system sends any synchronization messages for it. You can use any integer from 0 to 65535. The system does not synchronize any sessions that have not met the minimum flow lifetime, and the system synchronizes only when a packet is received for the connection.
Minimum Sync. Interval
Specify the minimum time (in milliseconds) between update messages for a session. You can use any integer from 0 to 65535. The minimum synchronization interval prevents synchronization messages for a given connection from being sent more frequently than the configured value after the connection reaches the minimum lifetime.
Maximum HTTP URL Length
Specify the maximum characters for the URL the system synchronizes between the clustered devices. You may use any integer from 0 to 225.
Note Cisco recommends that you use the default values, unless your deployment presents a good reason to change them. Decreasing the values allows increased clustered peer readiness, while increasing the values allows better performance.
To establish clustered state sharing:
Access:
Admin/Network Admin
Step 1 Configure HA link interfaces for each device in the cluster.
See Configuring HA Link Interfaces for more information.
Step 2 Select
Devices > Device Management
.
The Device Management page appears.
Step 3 Next to the device cluster you want to edit, click the edit icon (
).
The Cluster page appears.
Step 4 Next to the
State Sharing
section, click the edit icon (
).
The State Sharing pop-up window appears.
Step 5 Configure the state sharing, as described earlier in this section.
Step 6 Click
OK
.
Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Troubleshooting Clustered State Sharing
License:
Control
Supported Devices:
Series 3
After you enable state sharing, you can view the following information about the configuration in the State Sharing section of the Cluster page:
-
The HA link interface that is being used and its current link state
-
Detailed synchronization statistics for troubleshooting issues
The state sharing statistics are primarily counters for different aspects of the clustered synchronization traffic sent and received, along with some other error counters. In addition, you can view the latest system logs for each device in the cluster.
See the following sections for more information about the statistics you can view for each device and how you can use them to troubleshoot your clustered state sharing configuration.
Messages Received (Unicast)
Messages received are the number of cluster synchronization messages received from the clustered peer.
The value should be close to the number of messages sent by the peer. During active use, the values may not match, but should be close. If traffic stops, the values should become stable and the messages received will match the messages sent.
For troubleshooting, you should view both the messages received and the messages sent, compare the rate of increase, and make sure the values are close. The sent value on each peer should be incrementing at approximately the same rate as the received value on the opposite peer.
Contact Support if the received messages stop incrementing or increment slower than the messages sent by the peer.
Packets Received
The system batches multiple messages into single packets in order to decrease overhead. The Packets Received counter displays the total number of these data packets, as well as other control packets that have been received by a device.
The value should be close to the number of packets sent by the peer device. During active use, the values may not match, but should be close. Because the number of messages received should be close and incrementing at the same rate as the number of messages sent by the peer, the number of packets received should have the same behavior.
For troubleshooting, you should view both the packets received and the messages sent, compare the rate of increase, and make sure the values are increasing at the same rate. If the sent value on the clustered peer is incrementing, the received value on the device should also increase at the same rate.
Contact Support if the received packets stop incrementing or increment slower than the messages sent by the peer.
Total Bytes Received
Total bytes received are the number of bytes that make up the packets received by the peer.
The value should be close to the number of bytes sent by the other peer. During active use, the values may not match, but should be close.
For troubleshooting, you should view both the total bytes received and the messages sent, compare the rate of increase, and make sure the values are increasing at the same rate. If the sent value on the clustered peer is incrementing, the received value on the device should also increase at the same rate.
Contact Support if the received bytes stop incrementing or increment slower than the messages sent by the peer.
Protocol Bytes Received
Protocol bytes received are the number of bytes of protocol overhead received, which includes everything but the payload of session state synchronization messages.
The value should be close to the number of bytes sent by the peer. During active use, the values may not match, but should be close.
For troubleshooting, you should view the total bytes received to discover how much actual state data is being shared in comparison to protocol data. If the protocol data is a large percentage of the data being sent, you can adjust the minimum sync interval.
Contact Support if the protocol bytes received increment at a similar rate to the total bytes received. Protocol bytes received should be minimal in relation to the total bytes received.
Messages Sent
Messages sent are the number of cluster synchronization messages sent to the clustered peer.
This data is useful in comparison to the number of messages received. During active use, the values may not match, but should be close.
For troubleshooting, you should view both the messages received and the messages sent, compare the rate of increase, and make sure the values are close.
Contact Support if the messages sent increment at a similar rate to the total bytes received.
Bytes Sent
Bytes sent are the total number of bytes sent that make up the cluster synchronization messages sent to the peer.
This data are useful in comparison to the number of messages received. During active use, the values may not match, but should be close. The number of bytes received on the peer should be close to, but not more than this value.
Contact Support if the total bytes received is not incrementing at about the same rate as the bytes sent.
Tx Errors
Tx errors are the number of memory allocation failures the system encounters when trying to allocate space for messages to be sent to the clustered peer.
This value should be zero at all times on both peers. Contact Support if this number is not zero or if the number steadily increases, which indicates the system has encountered an error where it cannot allocate memory.
Tx Overruns
Tx overruns are the number of times the system attempts and fails to place a message into the transit queue.
This value should be zero at all times on both peers. When the value is not zero or is steadily increasing, it indicates that the system is sharing too much data across the HA link that cannot be sent quickly enough.
You should increase the HA link MTU if it was previously set below the default value (9918 or 9922). You can change the minimum flow lifetime and minimum synchronization interval settings to reduce the amount of data shared across the HA link to prevent the number from incrementing.
Contact Support if this value persists or continues to increase.
Recent Logs
The system log displays the most recent clustered synchronization messages. The log should not display any ERROR or WARN messages. It should remain comparable between the peers, such as the same number of sockets being connected.
However, the data displayed may be opposite in some instances, for example, one peer reports that it received a connection from the other peer and references different IP addresses. The log provides a comprehensive view of the clustered state sharing connection, and any errors within the connection.
Contact Support if the log displays an ERROR or WARN message, or any message that does not appear to be purely informational.
To view clustered state sharing statistics:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device cluster you want to edit, click the edit icon (
).
The Cluster page for the device cluster appears.
Step 3 In the
State Sharing
section, click the view statistics icon (
).
The State Sharing Statistics pop-up window appears.
Step 4 Optionally, select a
Device
to view if your cluster is composed of device stacks.
Step 5 Optionally, click
Refresh
to update the statistics.
Step 6 Optionally, click
View
to view the latest data log for each clustered device.
Separating Clustered Devices
License:
Control
Supported Devices:
Series 3
When you break device clustering, the active device or stack retains full deployment functionality. The backup device or stack loses its interface configurations and fails over to the active device or stack, unless you choose to leave the interface configurations active, in which case the backup device or stack resumes normal operation. Breaking a cluster always removes the configuration of passive interfaces on the backup devices. Any devices in maintenance mode resume normal operation upon breaking the cluster.
To separate a clustered device:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device cluster you want to break, click the break cluster icon (
).
The Confirm Break pop-up window appears.
Step 3 Optionally, select the check box to remove the interface configurations on the backup device or stack, which means all interfaces except for the management interface are administratively taken down.
Step 4 Click
Yes
.
The device cluster is separated.
Managing Stacked Devices
License:
Any
Supported Devices:
3D8140, 3D8200 family, 3D8300 family, AMP8300 family, ASM3D9900
You can increase the amount of traffic inspected on a network segment by using devices in a stacked configuration. For each stacked configuration, all devices in the stack must have the same hardware. However, if the stack does not contain a 3D9900, none, some, or all devices might have an installed malware storage pack. The devices must also be from the same device family based on the following stacked configurations:
For Series 2 and the 81xx Family:
For the 82xx Family:
-
up to four 3D8250s
-
a 3D8260 (a primary device and a secondary device)
-
a 3D8270 (a primary device with 40G capacity and two secondary devices)
-
a 3D8290 (a primary device with 40G capacity and three secondary devices)
For the 83xx Family:
-
up to four 3D8350s
-
a 3D8360 (a primary device with 40G capacity and a secondary device)
-
a 3D8370 (a primary device with 40G capacity and two secondary devices)
-
a 3D8390 (a primary device with 40G capacity and three secondary devices)
-
up to four AMP8350s
-
an AMP8360 (a primary device with 40G capacity and a secondary device)
-
an AMP8370 (a primary device with 40G capacity and two secondary devices)
-
an AMP8390 (a primary device with 40G capacity and three secondary devices)
For more information about stacked configurations, see the
FireSIGHT System
Installation Guide
. For more information about the malware storage pack, see the
FireSIGHT System
Malware Storage Pack Guide
.
Caution Do not attempt to install a hard drive that was not supplied by Cisco in your device. Installing an unsupported hard drive may damage the device. Malware storage pack kits are available for purchase
only from Cisco, and are for use
only with 8000 Series devices. Contact Support if you require assistance with the malware storage pack. See the
FireSIGHT System Malware Storage Pack Guide for more information.
When you establish a stacked configuration, you combine the resources of each stacked device into a single, shared configuration.
You designate one device as the
primary
device, where you configure the interfaces for the entire stack. You designate the other devices as
secondary
. Secondary devices must not be currently sensing any traffic and must not have link on any interface.
Connect the primary device to the network segment you want to analyze in the same way you would configure a single device. See Configuring Sensing Interfaces for more information. Connect the secondary devices to the primary device using the stacked device cabling instructions found in the
FireSIGHT System Installation Guide
.
All devices in the stacked configuration must have the same hardware, run the same software version, and have the same licenses. If the devices are targeted by NAT policies, both the primary and secondary device must have the same NAT policy. See Managing NAT Policies for more information. You must apply updates to the entire stack from the Defense Center. If an update fails on one or more devices in the stack, the stack enters a mixed-version state. You cannot apply policies to or update a stack in a mixed-version state. To correct this state, you can break the stack or remove individual devices with different versions, update the individual devices, then reestablish the stacked configuration. After you stack the devices, you can change the licenses only for the entire stack at once.
After you establish the stacked configuration, the devices act like a single, shared configuration. If the primary device fails, no traffic is passed to the secondary devices. Health alerts are generated indicating that the stacking heartbeat has failed on the secondary devices. See Using Health Monitoring for more information.
If the secondary device in a stack fails, inline sets with configurable bypass enabled go into bypass mode on the primary device. For all other configurations, the system continues to load balance traffic to the failed secondary device. In either case, a health alert is generated to indicate loss of link.
You can use a device stack as you would a single device in your deployment, with a few exceptions. If you have clustered devices, you cannot stack a device cluster or a device in a clustered pair. See Clustering Devices for more information. You also cannot configure NAT on a device stack.
Note If you use eStreamer to stream event data from stacked devices to an external client application, collect the data from each device and ensure that you configure each device identically. The eStreamer settings are not automatically synchronized between stacked devices.
See the following sections for more information:
Establishing Device Stacks
License:
Any
Supported Devices:
3D8140, 3D8200 family, 3D8300 family, AMP8300 family, 3D9900
You can increase the amount of traffic inspected on a network segment by stacking two fiber-based 3D9900s, two 3D8140 devices, up to four 3D8250s, a 3D8260, a 3D8270, a 3D8290, up to four 3D8350s, a 3D8360, a 3D8370, or a 3D8390, up to four AMP8350s, an AMP8360, and AMP8370, or an AMP8390 and using their combined resources in a single, shared, configuration. Before you begin, you must:
-
decide which unit will be the primary device
-
cable the units properly before designating the primary/secondary relationship. For information about cabling, see the
FireSIGHT System Installation Guide
.
Note If you have clustered devices, you cannot stack a device cluster or a device in a clustered pair. However, you can cluster a device stack. See Clustering Devices for more information.
After you establish a device stack, the system treats the devices as a single device on the Device Management page. Device stacks display the stack icon (
) in the appliance list.
Removing registration of a device stack from a Defense Center also removes registration from both devices. You delete stacked devices from the Defense Center as you would a single managed device; you can then register the stack on another Defense Center. You only need to register one of the stacked devices on the new Defense Center for the entire stack to appear. See Deleting Devices and Adding Devices to the Defense Center for more information.
After you establish the device stack, you cannot change which devices are primary or secondary unless you break and reestablish the stack. However, you can:
-
add secondary devices to an existing stack of two or three 3D8250s, a 3D8260, or a 3D8270 up to the limit of four 3D8250s in a stack
-
add secondary devices to an existing stack of two or three 3D8350s, a 3D8360, or a 3D8370 up to the limit of four 3D8350s in a stack
-
add secondary devices to an existing stack of two or three AMP8350s, an AMP8360, or an AMP8370 up to the limit of four AMP8350s in a stack
For additional devices, the primary device in the stack must have the necessary stacking NetMods for additional cabled devices. For example, if you have a 3D8260 where the primary only has a single stacking NetMod, you cannot add another secondary device to this stack. You add secondary devices to an existing stack in the same manner that you initially establish a stacked device configuration.
To establish a stacked device configuration:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 From the
Add
drop-down menu, select
Add Stack
.
The Add Stack pop-up window appears.
Step 3 From the
Primary
drop-down list, select the device that you cabled for primary operation.
Note If you edit a device that is not cabled as the primary device, you cannot perform the next series of steps.
Step 4 In the
Name
field, type the name of the stack. You may enter alphanumeric characters and special characters, with the exception of the following characters, which are invalid: +, (, ), {, }, #, &, \, <, >, ?, ‘, and “.
Step 5 Click
Add
to select the devices you want to form a stack with.
The Add Secondary Connection pop-up window appears. The following graphic displays the primary device front view for a 3D8140.
Step 6 From the
Slot on Primary Device
drop-down list, select the stacking network module that connects the primary device to the secondary device.
Step 7 From the
Secondary Device
drop-down list, select the device you cabled for secondary operation.
Note All devices in a stack must be of the same hardware model (for example, 3D9900 with 3D9900, 3D8140 with 3D8140, and so on). You can stack a total of four devices (one primary device and up to three secondary devices) in the 82xx Family and in the 83xx Family.
Step 8 From the
Slot on Secondary Device
drop-down list, select the stacking network module that connects the secondary device to the primary device.
Step 9 Click
Add
.
The Add Stack window reappears with the new secondary device included.
Step 10 Optionally, repeat steps 5 through 9 if you are adding secondary devices to an existing stack of 3D8250s, a 3D8260, a 3D8270, an existing stack of 3D8350s, a 3D8360, or a 3D8370, or an existing stack of AMP8350s, an AMP8360, or an AMP8370.
Step 11 Click
Stack
.
The device stack is established or the additional secondary devices are added. Note that this process takes a few minutes as the process synchronizes system data.
Editing Device Stacks
License:
Any
Supported Devices:
3D8140, 3D8200 family, 3D8300 family, AMP8300 family, 3D9900
After you establish a device stack, most changes you make to the device configuration also change the configuration of the entire stack. On the Stack page of the appliance editor, you can make changes to the stack configuration as on the Device page of a single device.
You can change the display name of the stack, enable and disable licenses, view system and health policies, configure automatic application bypass, and set up fast-path rules.
See the following sections for more information:
To edit a stacked configuration:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the stacked device where you want to edit the configuration, click the edit icon (
).
The Stack page for that device appears.
Step 3 Use the sections on the Stack page to make changes to the stacked configuration as you would a single device configuration.
Configuring Individual Devices in a Stack
License:
Any
Supported Devices:
3D8140, 3D8200 family, 3D8300 family, AMP8300 family, 3D9900
After you establish a device stack, you can still configure some attributes for only one device within the stack. On the Devices page of the appliance editor, you can make changes to a device configured in a stack as on the Device page of a single device.
You can change the display name of a device, view system settings, shut down or restart a device, view health information, and edit device management settings.
See the following sections for more information:
To configure an individual device in a stack:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the stacked device where you want to edit the configuration, click the edit icon (
).
The Stack page for that device appears.
Step 3 Click
Devices
.
The Devices page appears.
Step 4 From the
Selected Device
drop-down list, select the device you want to modify.
Step 5 Use the sections on the Devices page to make changes to the individual stacked device as you would a single device.
Configuring Interfaces on a Stacked Device
License:
Any
Supported Devices:
3D8140, 3D8200 family, 3D8300 family, AMP8300 family, 3D9900
Except for the management interface, you configure stacked device interfaces on the Interfaces page of the primary device in the stack. You can select any device in the stack to configure the management interface. See Configuring Management Interfaces for more information.
The Interfaces page of a Series 3 stacked device includes the hardware and interfaces views that you find on an individual device. The interfaces page of a 3D9900 does not include these views. See Configuring Sensing Interfaces for more information.
To configure interfaces on a stacked device:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the stacked device where you want to configure interfaces, click the edit icon (
).
The Stack page for that device appears.
Step 3 Click
Interfaces
.
The Interfaces page appears.
Step 4 From the
Selected Device
drop-down list, select the device you want to modify.
Step 5 Configure interfaces as you would on an individual device. See Configuring Sensing Interfaces for more information.
Separating Stacked Devices
License:
Any
Supported Devices:
3D8140, 3D8200 family, 3D8300 family, AMP8300 family, 3D9900
If you no longer need to use a stacked configuration for your devices, you can break the stack and separate the devices.
To separate stacked devices:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device stack you want to break, click the break stack icon (
).
The Confirm Break pop-up window appears.
Tip To remove a secondary device from a stack of three or more 3D8250 devices without breaking the stack, click the remove from stack icon (). Removing the secondary device causes a brief disruption of traffic inspection, traffic flow, or link state as the system reconfigures the stack for operation without the extra device.
Step 3 Click
Yes
.
The device stack is separated.
Replacing a Device in a Stack
License:
Any
Supported Devices:
3D8140, 3D8200 family, 3D8300 family, AMP8300 family, 3D9900
To replace a stacked device, you must break the stack.
Warning If the Defense Center cannot communicate with the device, you must connect to the device and use CLI commands to separate the stack and unregister the device from the Defense Center. For more information, see stacking disable
and delete
CLI commands in Configuration Commands.
To replace a device in a device stack:
Step 1 Select the stack with the device to replace and break that stack. For more information, see Separating Stacked Devices.
Step 2 Unregister the device from the Defense Center. For more information, see Disabling High Availability and Unregistering Devices.
Step 3 Register the replacement device to the Defense Center. For more information, see Adding Devices to the Defense Center.
Step 4 Create a device stack that includes the replacement device. For more information, see Establishing Device Stacks.
Editing Device Configuration
License:
Any
The Device page of the appliance editor displays detailed device configuration and information. It also allows you to make changes to some parts of device configuration, such as enabling and disabling licenses, shutting down and restarting a device, modifying management, and setting up fast-path rules.
See the following sections for more information:
Editing General Device Settings
License:
Any
The General section of the
Device
tab displays the managed device settings listed below, which you can change.
Name
The assigned name for the managed device.
Transfer Packets
Indicates whether packet data is transferred to the Defense Center to be stored with events.
To edit the general device settings:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device where you want to edit the assigned name, click the edit icon (
).
The Interfaces page for that device appears.
Step 3 Click
Device
.
The Device page appears.
Tip For stacked devices, you edit the assigned device name for the stack on the Stack page of the appliance editor. You can edit the assigned device name for an individual device on the Devices page of the appliance editor.
Step 4 Next to the
General
section, click the edit icon (
).
The General pop-up window appears.
Step 5 In the
Name
field, type a new assigned name for the device. You may enter alphanumeric characters and special characters, with the exception of the following characters, which are invalid: +, (, ), {, }, #, &, \, <, >, ?, ‘, and “.
Step 6 Select the
Transfer Packets
check box to allow packet data to be stored with events on the Defense Center. Clear the check box to prevent the managed device from sending packet data with the events.
Step 7 Click
Save
.
The changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Enabling and Disabling Device Licenses
License:
Any
Supported Devices:
Series 3, Virtual, X-Series, ASA FirePOWER
You can enable licenses on your device if you have available licenses on your Defense Center. Note that:
-
Control, Malware, and URL Filtering licenses require a Protection license.
-
You cannot enable a VPN license on a virtual device, Cisco NGIPS for Blue Coat X-Series, or ASA FirePOWER devices.
-
Although you can enable a Control license on a virtual device, Cisco NGIPS for Blue Coat X-Series, or ASA FirePOWER device, these devices do
not
support fast-path rules, switching, routing, stacking, or clustering. Cisco NGIPS for Blue Coat X-Series also does not support application or user control.
-
You cannot change the license settings on clustered devices.
-
Because Series 2 devices automatically have Protection capabilities, with the exception of Security Intelligence filtering, you cannot disable these capabilities, nor can you apply other licenses to a Series 2 device.
For more information, see Licensing the FireSIGHT System.
To enable or disable device licenses:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device where you want to enable or disable licenses, click the edit icon (
).
The
Interfaces
tab for that device appears.
Step 3 Click
Device
.
The
Devices
tab appears.
Tip For stacked devices, you enable or disable the licenses for the stack on the Stack page of the appliance editor.
Step 4 Next to the
License
section, click the edit icon (
).
The License pop-up window appears.
Step 5 You have the following options:
-
To enable a license, select the check box next to the license name.
-
To disable a license, clear the check box next to the license name.
Step 6 Click
Save
.
The changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Editing Device System Settings
License:
Any
The System section of the
Device
tab displays a read-only table of system information, as described in the following table.
Table 4-2 System Section Table Fields
|
|
Model
|
The model name and number for the managed device.
|
Serial
|
The serial number of the chassis of the managed device.
|
Time
|
The current system time of the device.
|
Version
|
The version of the software currently installed on the managed device.
|
Policy
|
A link to the system policy currently applied to the managed device.
|
You can also shut down or restart the device.
Note You cannot shut down or restart X-Series or ASA FirePOWER devices with the FireSIGHT System user interface. See the Cisco NGIPS for Blue Coat X-Series Installation Guide or the ASA documentation for more information on how to shut down the respective devices.
To shut down and restart a managed device:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device that you want to restart, click the edit icon (
).
The
Interfaces
tab for that device appears.
Step 3 Click
Device
.
The
Devices
tab appears.
Tip For stacked devices, you shut down or restart an individual device on the Devices page of the appliance editor.
Step 4 To shut down the device, click the shut down device icon (
).
Step 5 When prompted, confirm that you want to shut down the device.
You are returned to the Device Management page.
Step 6 To restart the device, click the restart device icon (
).
Step 7 When prompted, confirm that you want to restart the device.
The device is restarted.
Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Viewing the Health of a Device
License:
Any
The Health section of the
Device
tab displays health-related information. You can view an icon showing the current health status of the managed device. You can also click the icon to navigate to the Health Monitor page for that device. See Interpreting Health Monitor Status for more information.
You can click the
Policy
link to view a read-only version of the currently applied health policy. See Editing Health Policies for more information.
You can also click the
Blacklist
link to go to the Health Blacklist page, where you can enable and disable health blacklist modules. See Blacklisting a Health Policy Module for more information.
Editing Device Management Settings
License:
Any
The Management section of the
Device
tab displays the remote management information listed below.
Host
The current management host name or IP address of the device. You can use this setting to specify the management host name and regenerate the virtual IP address.
Note In some cases, if you edit the host name or IP address of a device by another method (using the device’s LCD panel or CLI, for example), you may need to use the procedure below to manually update the host name or IP address on the managing Defense Center.
Status
Specifies the status of the communication channel between the Defense Center and the managed device.
Tip You can click the slider to enable or disable management of the managed device. Disabling management blocks the connection between the Defense Center and the device, but does not delete the device from the Defense Center. If you no longer want to manage a device, see Deleting Devices.
To modify device management options:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device where you want to modify management options, click the edit icon (
).
The
Interfaces
tab for that device appears.
Step 3 Click
Device
.
The
Devices
tab appears.
Tip For stacked devices, you modify management options on an individual device on the Devices page of the appliance editor.
Step 4 Next to the
Management
section, click the edit icon (
).
The Management pop-up window appears.
Step 5 In the
Host
field, enter the name or IP address of the management host.
Step 6 Click
Save
.
Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Understanding Advanced Device Settings
License:
Any
Supported Devices:
feature dependent
The Advanced section of the
Device
tab displays a table of advanced configuration settings, as described in the following table.
Table 4-3 Advanced Section Table Fields
|
|
|
Application Bypass
|
The state of Automatic Application Bypass on the device.
|
Series 2, Series 3, Virtual
|
Bypass Threshold
|
The Automatic Application Bypass threshold, in milliseconds.
|
Series 2, Series 3, Virtual
|
Inspect Local Router Traffic
|
Whether the device inspects traffic received on routed interfaces that is destined for itself, such as ICMP, DHCP, and OSPF traffic.
|
Series 3
|
Fast-Path Rules
|
The number of fast-path rules that have been created on the device.
|
8000 Series, 3D9900
|
You can use the Advanced section to edit any of these settings. See the following sections for more information:
Automatic Application Bypass
License:
Any
The Automatic Application Bypass (AAB) feature limits the time allowed to process packets through an interface and allows packets to bypass detection if the time is exceeded. The feature functions with any deployment; however, it is most valuable in inline deployments.
You balance packet processing delays with your network’s tolerance for packet latency. When a malfunction within Snort or a device misconfiguration causes traffic processing time to exceed a specified threshold, AAB causes Snort to restart within ten minutes of the failure, and generates troubleshoot data that can be analyzed to investigate the cause of the excessive processing time.
In Version 5.4.1 and higher, the default behavior for the AAB option varies by device, as follows:
-
Series 3: off
-
Series 2 and virtual: on
-
ASA FirePOWER: not supported
-
X-Series: not supported
If you upgrade from a version earlier than 5.3, the existing setting is retained. You can change the bypass threshold if the option is selected. The default setting is 3000 milliseconds (ms). The valid range is from 250 ms to 60,000 ms.
Typically, you use Rule Latency Thresholding in the intrusion policy to fast-path packets after the latency threshold value is exceeded. Rule Latency Thresholding does not shut down the engine or generate troubleshoot data. For more information, see Configuring Packet and Intrusion Rule Latency Thresholds.
Note AAB is activated only when an excessive amount of time is spent processing a single packet. If AAB engages the Snort process restarts. which temporarily interrupts traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and how it handles traffic. See How Snort Restarts Affect Traffic for more information.
If detection is bypassed, the device generates a health monitoring alert. For more information on that health monitoring alert, see Using the Health Monitor.
For more information about enabling Automatic Application Bypass and setting the bypass threshold, see Editing Advanced Device Settings.
Editing Advanced Device Settings
License:
Any
Supported Devices:
feature dependent
You can use the Advanced section of the
Devices
tab to modify the Automatic Application Bypass and Inspect Local Router Traffic settings. You can also configure fast-path rules, as explained in Configuring Fast-Path Rules.
Note the following:
-
you can configure fast-path rules only on 8000 Series and 3D9900 devices.
-
you can configure
Inspect Local Router Traffic
only on Series 3 devices
To modify advanced device settings:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device where you want to edit advanced device settings, click the edit icon (
).
The
Interfaces
tab for that device appears.
Step 3 Click
Device
.
The
Devices
tab appears.
Tip For stacked devices, you edit the advanced device settings for the stack on the Stack page of the appliance editor.
Step 4 Next to the
Advanced
section, click the edit icon (
).
The Advanced pop-up window appears.
Step 5 Optionally, select
Automatic Application Bypass
if your network is sensitive to latency. Automatic Application Bypass is most useful in inline deployments. For more information, see Automatic Application Bypass.
Step 6 When you select the Automatic Application Bypass option, you can type a
Bypass Threshold
in milliseconds (ms). The default setting is 3000 ms and the valid range is from 250 ms to 60,000 ms.
Step 7 Optionally, select the
Inspect Local Router Traffic
check box to inspect exception traffic when deployed as a router.
Step 8 Optionally, configure fast-path rules. For more information, see Configuring Fast-Path Rules.
Step 9 Click
Save
.
Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Configuring Fast-Path Rules
License:
Any
Supported Devices:
8000 Series, 3D9900
You can create fast-path rules to send traffic directly through a device with no further inspection. Fast-path rules divert traffic that does not need to be analyzed to bypass the device. Fast-path rules either send traffic to the fast-path (out of the interface) or allow it to continue into the device for further analysis. Their advantage is the speed at which they determine the correct path for the traffic. Because the fast-path rules function at the hardware level, they only determine limited information about the packet.
See the following sections for more information:
Adding IPv4 Fast-Path Rules
License:
Any
Supported Devices:
8000 Series, 3D9900
Fast-path rules send traffic to the fast-path (out of the interface) or into the device for further analysis. You can use the following criteria to select the IPv4 traffic you want to divert to the fast-path and not inspect:
-
initiator or responder IP address or CIDR block
-
protocol
-
initiator or responder port, for TCP or UDP protocols
-
VLAN ID
-
bidirectional option
Note that the outermost ID is used for fast-path rules.
Tip To edit an existing fast-path rule, click the edit icon () next to the rule.
To build or edit IPv4 fast-path rules:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device where you want to add a fast-path rule, click the edit icon (
).
The
Interfaces
tab for that device appears.
Step 3 Click
Device
.
The
Devices
tab appears.
Step 4 Next to the
Advanced
section, click the edit icon (
).
The Advanced pop-up window appears.
Step 5 Click
New IPv4 Rule
to add a fast-path rule.
The New IPv4 Rule pop-up window appears.
Step 6 From the
Domain
drop-down list, select an inline set or passive security zone. See Setting Up an IPS Device for more information.
Step 7 Use CIDR notation in the
Initiator
and the
Responder
fields to designate the IP addresses of initiators or responders whose packets should bypass further analysis.
Your rule matches packets from the designated initiators or packets to the designated responders. For information on using CIDR notation in the FireSIGHT System, see IP Address Conventions.
Step 8 Optionally, from the
Protocol
drop-down list, select the protocol on which you want the rule to act or select
All
to match traffic from any protocol on the list.
Step 9 Optionally, if you chose the TCP or UDP protocol in step
8
, enter initiator and responder ports in the
Initiator Port
and the
Responder Port
fields to designate ports.
Tip You can enter a comma-separated list of port numbers in each rule. You cannot use port ranges in IPv4 fast-path rules. Note that a blank port value is treated as Any.
If you also select the
Bidirectional
option, your filter criteria are narrowed to packets from those initiator ports or packets to those responder ports.
Step 10 Optionally, enter a VLAN ID in the
VLAN
field.
Your rule matches only traffic for that VLAN. Note that a blank VLAN value is treated as
Any
.
Step 11 Optionally, select the
Bidirectional
option to filter all traffic traveling between the specified initiator and responder IP addresses. Clear the option to filter only traffic from the specified initiator IP address to the specified responder IP address.
Step 12 Click
Save
.
The rule is added under Fast-Path Rules in the Advanced pop-up window. Although the rule is added, you must click
Save
again to save the rule. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Adding IPv6 Fast-Path Rules
License:
Any
Supported Devices:
Series 3, 3D9900
Fast-path rules send traffic to the fast-path (out of the interface) or into the device for further analysis. You can use the following criteria to select the IPv6 traffic you want to divert to the fast-path and not inspect:
-
initiator or responder IP address or address block
-
protocol
-
initiator or responder port, for TCP or UDP protocols
-
VLAN ID
-
bidirectional option
Note that the outermost VLAN ID is used for fast-path rules.
Tip To edit an existing fast-path rule, click the edit icon () next to the rule.
To add an IPv6 fast-path rule:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device where you want to add a fast-path rule, click the edit icon (
).
The
Interfaces
tab for that device appears.
Step 3 Click
Device
.
The
Devices
tab appears.
Step 4 Next to the
Advanced
section, click the edit icon.
The Advanced pop-up window appears.
Step 5 Click
New IPv6 Rule
to add a fast-path rule.
The New IPv6 Rule pop-up window appears. Note that the initiator and responder fields are fixed and indicate that the filter applies to IPv6 packets from any initiator or responder.
Step 6 From the
Domain
drop-down list, select an inline set or passive security zone. See Setting Up an IPS Device for more information.
Step 7 Type IP addresses or use IPv6 prefix length notation to specify address blocks in the
Initiator
and the
Responder
fields for the IP addresses of initiators or responders whose packets should bypass further analysis.
Your rule matches packets from the designated initiators or packets to the designated responders. For information on using IPv6 prefix length notation in the FireSIGHT System, see IP Address Conventions.
Step 8 Optionally, from the
Protocol
drop-down list, select the protocol on which you want the rule to act or select
All
to match traffic from any protocol on the list.
Your fast-path rule matches only the selected protocol’s packets.
Step 9 Optionally, if you chose the TCP or UDP protocol in step
7
, enter initiator and responder ports in the
Initiator Port
and the
Responder Port
fields to designate ports.
Tip You can enter a comma-separated list of port numbers in each rule. You cannot use port ranges in IPv6 fast-path rules. Note that a blank port value is treated as Any.
Step 10 Optionally, enter a VLAN ID in the
VLAN
field.
Your rule matches only traffic for that VLAN. Note that a blank VLAN value is treated as
Any
.
Step 11 Optionally, select
Bidirectional
to filter all traffic traveling between the specified initiator and responder ports. Clear the option to specify that your rule matches only packets from those initiator ports or packets to those responder ports.
Step 12 Click
Save
.
The rule is added under Fast-Path Rules in the Advanced pop-up window.
Step 13 In the Advanced pop-up window, click
Save
.
The rule is saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Deleting Fast-Path Rules
License:
Any
Supported Devices:
8000 Series, 3D9900
The following procedure explains how to delete any IPv4 or IPv6 fast-path rule.
To delete any fast-path rule:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device where you want to delete a fast-path rule, click the edit icon (
).
The
Interfaces
tab for that device appears.
Step 3 Click
Device
.
The
Devices
tab appears.
Step 4 Next to the
Advanced
section, click the edit icon (
).
The Advanced pop-up window appears.
Step 5 Next to the fast-path rule you want to delete, click the delete icon (
).
Step 6 When prompted, confirm that you want to delete the rule.
The rule is removed from the Advanced pop-up window.
Step 7 Click
Save
.
Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Configuring Sensing Interfaces
License:
Any
You can configure the sensing interfaces of a managed device, according to your FireSIGHT System deployment, from the Interfaces page of the appliance editor.
The top of the Interfaces page displays a physical hardware view of a managed Series 3 device. Series 2, virtual devices, Cisco NGIPS for Blue Coat X-Series, and ASA FirePOWER devices do not have physical hardware views. The following graphic shows the hardware view for a 3D8250.
The following table explains how to use the physical hardware view.
Table 4-4 Using the Hardware View
|
|
view a network module’s type, part number, and serial number
|
hover your cursor over the dark circle in the lower left corner of the network module.
|
select an interface in the interfaces table view
|
click the interface.
|
open an interface editor
|
double-click the interface.
|
view the name of the interface, the type of interface, whether the interface has link, the interface’s speed setting, and whether the interface is currently in bypass mode
|
hover your cursor over the interface.
|
view the details about an error or warning
|
hover your cursor over the affected port on the network module.
|
The interfaces table view, which is below the Series 3 hardware view, lists all the available interfaces you have on a device. The table includes an expandable navigation tree you can use to view all configured interfaces. You can click the arrow icon next to an interface to collapse or expand the interface to hide or view its subcomponents. The interfaces table view also provides summarized information about each interface, as described in the following table. Note that only 8000 Series devices display the MAC Address and IP Address columns. See the following table for more information.
Table 4-5 Interfaces Table View Fields
|
|
Name
|
Each interface type is represented by a unique icon that indicates its type and link state (if applicable). You can hover your pointer over the name or the icon to view the interface type, speed, and duplex mode (if applicable) in a tooltip. The interface icons are described in Table 4-6.
The icons use a badging convention to indicate the current link state of the interface, which may be one of three states:
-
error (
)
-
fault (
)
-
not available (
)
Logical interfaces have the same link state as their parent physical interface. Cisco NGIPS for Blue Coat X-Series and ASA FirePOWER devices do not display link state. Note that disabled interfaces are represented by semi-transparent icons.
Interface names, which appear to the right of the icons, are auto-generated with the exception of hybrid and ASA FirePOWER interfaces, which are user-defined. Note that for ASA FirePOWER interfaces, the system displays only interfaces that are enabled, named, and have link.
Physical interfaces display the name of the physical interface. Logical interfaces display the name of the physical interface and the assigned VLAN tag.
ASA FirePOWER interfaces display the name of the security context and the name of the interface if there are multiple security contexts. If there is only one security context, the system displays only the name of the interface.
|
Security Zone
|
The security zone where the interface is assigned. To add or edit a security zone, click the edit icon (
).
|
Used by
|
The inline set, virtual switch, or virtual router where the interface is assigned. ASA FirePOWER devices do not display the Used by column.
|
MAC Address
|
The MAC address displayed for the interface when it is enabled for switched and routed features.
For virtual devices, the MAC address is displayed so that you can match the network adapters configured on your device to the interfaces that appear on the Interfaces page. Cisco NGIPS for Blue Coat X-Series and ASA FirePOWER devices do not display MAC addresses.
|
IP Addresses
|
IP addresses assigned to the interface. Hover your pointer over an IP address to view whether it is active or inactive. Inactive IP addresses are grayed out. ASA FirePOWER devices do not display IP addresses.
|
Note that you can only configure a total of 1024 interfaces on a FirePOWER managed device.
Note The Defense Center does not display ASA interfaces when the ASA FirePOWER device is deployed in SPAN port mode.
See the following sections for details on the different ways you can configure interfaces on a device:
Configuring HA Link Interfaces
License:
Any
Supported Devices:
Series 3
After you establish a device cluster, you can configure a physical interface as a high availability (HA) link interface. This link acts as a redundant communications channel for sharing health information between the clustered devices. When you configure an HA link interface on one device, you automatically configure an interface on the second device. You must configure both HA links on the same broadcast domain. See Clustering Devices for more information.
Dynamic NAT relies on dynamically allocating IP addresses and ports to map to other IP addresses and ports. Without an HA link, these mappings are lost in a failover, causing all translated connections to fail as they are routed through the now active device in the cluster.
Caution Changing any (Series 2) or the highest (Series 3) MTU value for a sensing interface or inline set temporarily interrupts traffic inspection on all sensing interfaces on the device, not just the interface you changed, when you apply your changes. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and the interface type. See
How Snort Restarts Affect Traffic.
To configure an HA link interface:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the clustered device where you want to configure the HA link interface, click the edit icon (
).
The
Interfaces
tab for that device appears.
Step 3 Next to the interface you want to configure as a HA link interface, click the edit icon (
).
The Edit Interface pop-up window appears.
Step 4 Click
HA Link
to display the HA link options.
Step 5 Select the
Enabled
check box to allow the HA link interface to provide link.
If you clear the check box, the interface becomes disabled and administratively taken down.
Step 6 From the
Mode
drop-down list, select an option to designate the link mode or select
Autonegotiation
to specify that the interface is configured to autonegotiate speed and duplex settings.
Step 7 From the
MDI/MDIX
drop-down list, select an option to designate whether the interface is configured for MDI (medium dependent interface), MDIX (medium dependent interface crossover), or Auto-MDIX.
Normally, MDI/MDIX is set to
Auto-MDIX
, which automatically handles switching between MDI and MDIX to attain link.
Step 8 In the
MTU
field, type a maximum transmission unit (MTU), which designates the largest size packet allowed.
The range within which you can set the MTU can vary depending on the FireSIGHT System device model and the interface type. See MTU Ranges for Managed Devices for more information.
Step 9 Click
Save
.
Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
MTU Ranges for Managed Devices
License:
Any
Caution Changing any (Series 2) or the highest (Series 3) MTU value for a sensing interface or inline set temporarily interrupts traffic inspection on all sensing interfaces on the device, not just the interface you changed, when you apply your changes. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and the interface type. See
How Snort Restarts Affect Traffic.
Note that for Cisco NGIPS for Blue Coat X-Series, you configure the interface MTU using the Cisco NGIPS for Blue Coat X-Series CLI. See the
Cisco NGIPS for Blue Coat X-Series Installation Guide
for more information.
Note Because the system automatically trims 18 bytes from the configured MTU value, any value below 1298 does not comply with the minimum IPv6 MTU setting of 1280, and any value below 594 does not comply with the minimum IPv4 MTU setting of 576. For example, the system automatically trims a configured value of 576 to 558.
The following table lists MTU configuration ranges for managed devices.
Table 4-7 MTU Range by Device
|
|
Series 2, except 3D6500, 3D9900
|
576-1518 (all interfaces, inline sets)
|
3D6500, 3D9900, virtual
|
576-9018 (all interfaces, inline sets)
|
Series 3
|
576-9234 (management interface)
576-10172 (inline sets, passive interface)
576-9922 (all others)
|
Managing Cisco ASA with FirePOWER Services Interfaces
License:
Protection
Supported Devices:
ASA FirePOWER
When editing an ASA FirePOWER interface, you can configure only the interface’s security zone from the FireSIGHT Defense Center. See Working with Security Zones for more information.
You fully configure ASA FirePOWER interfaces using the ASA-specific software and CLI. If you edit an ASA FirePOWER device and switch from multiple context mode to single context mode (or visa versa), the device renames all of its interfaces. You must reconfigure all FireSIGHT System security zones, correlation rules, and related configurations to use the updated ASA FirePOWER interface names. For more information about ASA FirePOWER interface configuration, see the ASA documentation.
Note You cannot change the type of ASA FirePOWER interface, nor can you disable the interface from the FireSIGHT Defense Center.
To edit an ASA FirePOWER Interface:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device where you want to edit the interface, click the edit icon (
).
The
Interfaces
tab for that device appears.
Step 3 Next to the interface you want to edit, click the edit icon (
).
The Edit Interface pop-up window appears.
Step 4 From the
Security Zone
drop-down list, select an existing security zone or select
New
to add a new security zone.
Step 5 Click
Save
.
The security zone is configured. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Disabling Interfaces
License:
Any
You can disable an interface by setting the interface type to
None
. Disabled interfaces appear grayed out in the interface list.
Note You cannot change the type of an ASA FirePOWER interface, nor can you disable the interface from the FireSIGHT Defense Center.
To disable an interface:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Step 2 Next to the device where you want to disable the interface, click the edit icon (
).
The
Interfaces
tab for that device appears.
Step 3 Next to the interface you want to disable, click the edit icon (
).
The Edit Interface pop-up window appears.
Step 4 Click
None
.
Step 5 Click
Save
.
Your changes are saved. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices for more information.
Preventing Duplicate Connection Logging
License:
Any
When you update a security zone object, the system saves a new revision of the object. As a result, if you have managed devices in the same security zone that have different revisions of the security zone object configured in the interfaces, you may log what appear to be duplicate connections.
If you notice duplicate connection reporting, you can update all managed devices to use the same revision of the object.
To synchronize security zone object revisions across devices:
Access:
Admin/Network Admin
Step 1 Select
Devices > Device Management
.
The Device Management page appears.
Caution You must not reapply managed device changes to any device until you have edited the zone setting for interfaces on all devices you want to sync.
Step 2 Next to the device where you want to update the security zone selection, click the edit icon (
).
The
Interfaces
tab for that device appears.
Step 3 For each interface logging duplicate connection events, change the
Security Zone
to another zone, click
Save
, then change it back to the desired zone, and click
Save
again.
Step 4 Repeat steps 2 through 3 for each device logging duplicate events.
Step 5 After all interfaces on all devices have been edited, apply device changes to all managed devices at once.