Introduction to Remediations
A remediation is a program that the Firepower System launches in response to a correlation policy violation.
When a remediation runs, the system generates a remediation status event. Remediation status events include details such as the remediation name, the correlation policy and rule that triggered it, and the exit status message.
The system supports several remediation modules:
-
Cisco IOS Null Route — blocks traffic sent to a host or network involved in a correlation policy violation (requires Cisco IOS Version 12.0 or higher)
-
Nmap Scanning — scans hosts to determine running operating systems and servers
-
Set Attribute Value — sets a host attribute on a host involved in a correlation policy violation
 Tip |
You can install custom modules that perform other tasks; see the Firepower System Remediation API Guide. |
Implementing Remediations
To implement a remediation, first create at least one instance for the module you choose. You can create multiple instances per module, where each instance is configured differently. For example, to communicate with multiple routers using the Cisco IOS Null Route remediation module, configure multiples instances of that module.
You can then add multiple remediations to each instance that describe the actions you want to perform when a policy is violated.
Finally, associate remediations with rules in correlation policies, so that the system launches the remediations in response to correlation policy violations.
Remediations and Multitenancy
In a multidomain deployment, you can install custom remediation modules at any domain level. The system-provided modules belong to the Global domain.
Though you cannot add a remediation to an instance created in an ancestor domain, you can create a similarly configured instance in the current domain and add remediations to that instance. You can also use remediations created in ancestor domains as correlation responses.
Cisco IOS Null Route Remediations
The Cisco IOS Null Route remediation module allows you to block an IP address or range of addresses using Cisco’s “null route” command. This drops all traffic sent to a host or network by routing it to the router’s NULL interface. This does not block traffic sent from the violating host or network.
 Note |
Do not use a destination-based remediation as a response to a correlation rule that is based on a discovery or host input event. These events are associated with source hosts. |
 Caution |
When a Cisco IOS remediation is activated, there is no timeout period. To unblock the IP address or network, you must manually clear the routing change from the router. |
Configuring Remediations for Cisco IOS Routers
| Smart License | Classic License | Supported Devices | Supported Domains | Access |
|---|---|---|---|---|
|
Any |
Any |
Any |
Any |
Admin |
Note |
Do not use a destination-based remediation as a response to a correlation rule that is based on a discovery or host input event. These events are associated with source hosts. |
Caution |
When a Cisco IOS remediation is activated, there is no timeout period. To unblock the IP address or network, you must manually clear the routing change from the router. |
Before you begin
-
Confirm that your Cisco router is running Cisco IOS 12.0 or higher.
-
Confirm that you have level 15 administrative access to the router.
Procedure
| Step 1 |
Enable Telnet on the Cisco router as described in the documentation provided with your Cisco router or IOS software. |
| Step 2 |
On the Firepower Management Center, add a Cisco IOS Null Route instance for each Cisco IOS router you plan to use; see Adding a Cisco IOS Instance. |
| Step 3 |
Create remediations for each instance, based on the type of response you want to elicit on the router when correlation policies are violated: |
What to do next
-
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
Adding a Cisco IOS Instance
| Smart License | Classic License | Supported Devices | Supported Domains | Access |
|---|---|---|---|---|
|
Any |
Any |
Any |
Any |
Admin |
If you have multiple routers where you want to send remediations, create a separate instance for each router.
Before you begin
-
Configure Telnet access on the Cisco IOS router as described in the documentation provided with the router or IOS software.
Procedure
| Step 1 |
Choose . |
||
| Step 2 |
From the Add a New Instance list, choose Cisco IOS Null Route and click Add. |
||
| Step 3 |
Enter an Instance Name and Description. |
||
| Step 4 |
In the Router IP field, enter the IP address of the Cisco IOS router you want to use for the remediation. |
||
| Step 5 |
In the Username field, enter the Telnet user name for the router. This user must have level 15 administrative access on the router. |
||
| Step 6 |
In the Connection Password fields, enter the Telnet user’s user password. |
||
| Step 7 |
In the Enable Password fields, enter the Telnet user’s enable password. This is the password used to enter privileged mode on the router. |
||
| Step 8 |
In the White List field, enter IP addresses or ranges that you want to exempt from the remediation, one per line.
|
||
| Step 9 |
Click Create. |
What to do next
-
Add specific remediations to be used by correlation policies as described in Adding Cisco IOS Block Destination Remediations, Adding Cisco IOS Block Destination Network Remediations, Adding Cisco IOS Block Source Remediations, and Adding Cisco IOS Block Source Network Remediations.
Adding Cisco IOS Block Destination Remediations
| Smart License | Classic License | Supported Devices | Supported Domains | Access |
|---|---|---|---|---|
|
Any |
Any |
Any |
Any |
Admin |
The Cisco IOS Block Destination remediation blocks traffic sent from the router to the destination host involved in a correlation policy violation. Do not use this remediation as a response to a correlation rule that is based on a discovery or host input event. These events are associated with source hosts.
In a multidomain deployment, you cannot add a remediation to an instance created in an ancestor domain.
Before you begin
-
Add a Cisco IOS instance as described in Adding a Cisco IOS Instance.
Procedure
| Step 1 |
Choose . |
| Step 2 |
Next to the instance where you want to add the remediation, click view ( |
| Step 3 |
In the Configured Remediations section, choose Block Destination and click Add. If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. |
| Step 4 |
Enter a Remediation Name and Description. |
| Step 5 |
Click Create, then click Done. |
).
What to do next
-
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
Adding Cisco IOS Block Destination Network Remediations
| Smart License | Classic License | Supported Devices | Supported Domains | Access |
|---|---|---|---|---|
|
Any |
Any |
Any |
Any |
Admin |
The Cisco IOS Block Destination Network remediation blocks traffic sent from the router to the network of the destination host involved in a correlation policy violation. Do not use this remediation as a response to a correlation rule that is based on a discovery or host input event. These events are associated with source hosts.
In a multidomain deployment, you cannot add a remediation to an instance created in an ancestor domain.
Before you begin
-
Add a Cisco IOS instance as described in Adding a Cisco IOS Instance.
Procedure
| Step 1 |
Choose . |
| Step 2 |
Next to the instance where you want to add the remediation, click view ( |
| Step 3 |
In the Configured Remediations section, choose Block Destination Network and click Add. If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. |
| Step 4 |
Enter a Remediation Name and Description. |
| Step 5 |
In the Netmask field, enter the subnet mask or use CIDR notation to describe the network that you want to block traffic to. For example,
to block traffic to an entire Class C network when a single host triggered a
rule (this is not recommended), use
As another
example, to block traffic to 30 addresses that include the triggering IP
address, specify
|
| Step 6 |
Click Create, then click Done. |
What to do next
-
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
Adding Cisco IOS Block Source Remediations
| Smart License | Classic License | Supported Devices | Supported Domains | Access |
|---|---|---|---|---|
|
Any |
Any |
Any |
Any |
Admin |
The Cisco IOS Block Source remediation blocks traffic sent from the router to the source host involved in a correlation policy violation.
In a multidomain deployment, you cannot add a remediation to an instance created in an ancestor domain.
Before you begin
-
Add a Cisco IOS instance as described in Adding a Cisco IOS Instance.
Procedure
| Step 1 |
Choose . |
| Step 2 |
Next to the instance where you want to add the remediation, click view ( |
| Step 3 |
In the Configured Remediations section, choose Block Source and click Add. If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. |
| Step 4 |
Enter a Remediation Name and Description. |
| Step 5 |
Click Create, then click Done. |
What to do next
-
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
Adding Cisco IOS Block Source Network Remediations
| Smart License | Classic License | Supported Devices | Supported Domains | Access |
|---|---|---|---|---|
|
Any |
Any |
Any |
Any |
Admin |
The Cisco IOS Block Source Network remediation blocks traffic sent from the router to the network of the source host involved in a correlation policy violation.
In a multidomain deployment, you cannot add a remediation to an instance created in an ancestor domain.
Before you begin
-
Add a Cisco IOS instance as described in Adding a Cisco IOS Instance.
Procedure
| Step 1 |
Choose . |
| Step 2 |
Next to the instance where you want to add the remediation, click view ( |
| Step 3 |
In the Configured Remediations section, choose Block Source Network and click Add. If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. |
| Step 4 |
Enter a Remediation Name and Description. |
| Step 5 |
In the Netmask field, enter the subnet mask or CIDR notation that describes the network that you want to block traffic to. For example,
to block traffic to an entire Class C network when a single host triggered a
rule (this is not recommended), use
As another
example, to block traffic to 30 addresses that include the triggering IP
address, specify
|
| Step 6 |
Click Create, then click Done. |
What to do next
-
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
Nmap Scan Remediations
The Firepower System integrates with Nmap™, an open source active scanner for network exploration and security auditing. You can respond to a correlation policy violation using an Nmap remediation, which triggers an Nmap scan remediation.
For more information about Nmap scanning, see Nmap Scanning.
Set Attribute Value Remediations
You can respond to a correlation policy violation by setting a host attribute value on the host where the triggering event occurred. For text host attributes, you can use the description from the event as the attribute value.
Configuring Set Attribute Remediations
| Smart License | Classic License | Supported Devices | Supported Domains | Access |
|---|---|---|---|---|
|
Any |
Any |
Any |
Any |
Admin |
Procedure
| Step 1 |
Choose . |
| Step 2 |
Create a set attribute instance as described in Adding a Set Attribute Value Instance. |
| Step 3 |
Add a set attribute remediation as described in Adding Set Attribute Value Remediations. |
What to do next
-
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
Adding a Set Attribute Value Instance
| Smart License | Classic License | Supported Devices | Supported Domains | Access |
|---|---|---|---|---|
|
Any |
Any |
Any |
Any |
Admin |
Procedure
| Step 1 |
Choose . |
| Step 2 |
From the Add a New Instance list, choose Set Attribute Value and click Add. |
| Step 3 |
Enter an Instance Name and Description. |
| Step 4 |
Click Create. |
What to do next
-
Create a set attribute remediation as described in Adding Set Attribute Value Remediations.
Adding Set Attribute Value Remediations
| Smart License | Classic License | Supported Devices | Supported Domains | Access |
|---|---|---|---|---|
|
Any |
Any |
Any |
Any |
Admin |
The Set Attribute Value remediation sets a host attribute on a host involved in a correlation policy violation. Create a remediation for each attribute value you want set. For text attributes, you can use the description from the triggering event as the attribute value.
In a multidomain deployment, you cannot add a remediation to an instance created in an ancestor domain.
Before you begin
-
Create a set attribute instance as described in Adding a Set Attribute Value Instance.
Procedure
| Step 1 |
Choose . |
| Step 2 |
Next to the instance where you want to add the remediation, click view ( |
| Step 3 |
In the Configured Remediations section, choose Set Attribute Value and click Add. If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. |
| Step 4 |
Enter a Remediation Name and Description. |
| Step 5 |
To use this remediation in response to an event with source and destination data, choose an Update Which Host(s) From Event option. |
| Step 6 |
For text attributes, specify whether you want to Use Description From Event For Attribute Value:
|
| Step 7 |
Click Create, then click Done. |
What to do next
-
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
)
Feedback