A FireSIGHT System generates events when it detects a new host on your monitored network segment.It may detect an operating system or service incorrectly, or with less confidence. If an event is marked as Unknown, it means that the traffic is analyzed, but the operating systems do not match any of the known fingerprints. This document provides a checklist and recommendations to minimize Unknown events.
The information in this document is based on these hardware and software versions:
FireSIGHT System, FirePOWER Appliances, and NGIPS Virtual Appliances
Software Version 5.2 or later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
If your FireSIGHT System is generating events that are in pending or in unknown state, you can follow the steps below to start troubleshooting this issue:
Note: Unidentified hosts are not the same as Unknown hosts. Unidentified hosts are hosts about which a system has not yet gathered enough information to identify their operating systems.
1. What VDB version is installed on the FireSIGHT Management Center?
The latest VDB version has more fingerprint information. It is always recommended to have the latest version installed on the FireSIGHT Management Center.
2. What is the host limit of your FireSIGHT license? How many hosts have been detected by FireSIGHT?
If the host limit exceeds, a FireSIGHT System prunes the oldest data as the new data comes in. You can configure the System Policy to drop new hosts when host limit reached.
3. How many hops away the hosts are located from the FireSIGHT managed device?
The higher the hop count between the hosts and a managed device, the further away the host is from the device, and thus increased likelihood the traffic has been modified and will not allow accurate identification.
4. Are there any in-line devices between the hosts and managed device?
The presence of any in-line device; such as firewall, NAT device, load balancer and proxy server can modify the original TCP or IP header information which can also be the causes of misidentified or unidentified information collection from the hosts.
5. Are the managed devices monitoring traffic in any asynchronous routing network?
If a FireSIGHT System monitors asynchronous routing traffic, it may not be able to see the complete session.
6. Are there any non-standard ports used for any services? Are there any custom decoders configured to address the non-standard ports?
An improperly configured custom decoder may conflict with the default decoders.
If all the above recommendations are followed, but still there are unknown, pending or unidentified hosts found, then we will need to analyze the following data:
1. Full Session Traffic
Full session traffic from the hosts that are identified incorrectly, or marked as unknown or pending.
2. Troubleshooting Files
Troubleshooting files from the FireSIGHT Management Center and managed device. The network map or the topology showing the location of managed device would be helpful.
3. Packet Capture (PCAP)
The packets received by the managed device may be different than the packets originated on the hosts. It happens if any header modifying inline device exists between the hosts and managed device. Therefore, it is better to capture PCAP from both ends - hosts and managed devices, which allows to compare the headers from the two PCAPs. Any mismatch between the packets can cause misidentification of services or hosts.