About Health Monitoring
The health monitor on the Firepower Management Center tracks a variety of health indicators to ensure that the hardware and software in the Firepower System are working correctly. You can use the health monitor to check the status of critical functionality across your Firepower System deployment.

You can use the health monitor to create a collection of tests, referred to as a health policy, and apply the health policy to one or more appliances. The tests, referred to as health modules, are scripts that test for criteria you specify. You can modify a health policy by enabling or disabling tests or by changing test settings, and you can delete health policies that you no longer need. You can also suppress messages from selected appliances by blacklisting them.
The tests in a health policy run automatically at the interval you configure. You can also run all tests, or a specific test, on demand. The health monitor collects health events based on the test conditions configured.
![]() Note |
All Appliances automatically report their hardware status via the Hardware Alarms health module. The Firepower Management Center also automatically reports status using the modules configured in the default health policy. Some health modules, such as the Appliance Heartbeat module, run on the Firepower Management Center and report the status of the Firepower Management Center's managed devices. Some health modules do not provide managed device status unless you apply a health policy configured with those modules to a device. |
You can use the health monitor to access health status information for the entire system, for a particular appliance, or, in a multidomain deployment, a particular domain. Pie charts and status tables on the Health Monitor page provide a visual summary of the status of all appliances on your network, including the Firepower Management Center. Individual appliance health monitors let you drill down into health details for a specific appliance.
Fully customizable event views allow you to quickly and easily analyze the health status events gathered by the health monitor. These event views allow you to search and view event data and to access other information that may be related to the events you are investigating. For example, if you want to see all the occurrences of CPU usage with a certain percentage, you can search for the CPU usage module and enter the percentage value.
You can also configure email, SNMP, or syslog alerting in response to health events. A health alert is an association between a standard alert and a health status level. For example, if you need to make sure an appliance never fails due to hardware overload, you can set up an email alert. You can then create a health alert that triggers that email alert whenever CPU, disk, or memory usage reaches the Warning level you configure in the health policy applied to that appliance. You can set alerting thresholds to minimize the number of repeating alerts you receive.
You can also generate troubleshooting files for an appliance if you are asked to do so by Support.
Because health monitoring is an administrative activity, only users with administrator user role privileges can access system health data.
Health Modules
Health modules, or health tests, test for the criteria you specify in a health policy.
Module |
Appliances |
Description |
||
---|---|---|---|---|
AMP for Endpoints Status |
FMC |
The module alerts if the FMC cannot connect to the AMP cloud or Cisco AMP Private Cloud after an initial successful connection, or if the private cloud cannot contact the public AMP cloud. It also alerts if you deregister an AMP cloud connection using the AMP for Endpoints management console. |
||
AMP for Firepower Status (AMP for Networks Status) |
FMC |
This module alerts if:
If your FMC loses connectivity to the Internet, the system may take up to 30 minutes to generate a health alert. |
||
Appliance Heartbeat |
Any |
This module determines if an appliance heartbeat is being heard from the appliance and alerts based on the appliance heartbeat status. |
||
Automatic Application Bypass Status |
7000 & 8000 Series |
This module determines if an appliance has been bypassed because it did not respond within the number of seconds set in the bypass threshold, and alerts when a bypass occurs. | ||
Backlog Status |
FMC |
This module displays an alert if the backlog of event data awaiting transmission from the device to the FMC has grown continuously for more than 30 minutes. To reduce the backlog, evaluate your bandwidth and consider logging fewer events. |
||
Classic License Monitor |
FMC |
This module determines if sufficient Classic licenses remain. It also alerts when devices in a stack have mismatched license sets. It alerts based on a warning level automatically configured for the module. You cannot change the configuration of this module. |
||
CPU Usage |
Any |
This module checks that the CPU on the appliance is not overloaded and alerts when CPU usage exceeds the percentages configured for the module. |
||
Card Reset |
Any |
This module checks for network cards which have restarted due to hardware failure and alerts when a reset occurs. |
||
Cluster Status |
Threat Defense |
This module monitors the status of device clusters. The module alerts if:
|
||
Disk Status |
Any |
This module examines performance of the hard disk, and malware storage pack (if installed) on the appliance. This module generates a Warning (yellow) health alert when the hard disk and RAID controller (if installed) are in danger of failing, or if an additional hard drive is installed that is not a malware storage pack. This module generates an Alert (red) health alert when an installed malware storage pack cannot be detected. |
||
Disk Usage |
Any |
This module compares disk usage on the appliance’s hard drive and malware storage pack to the limits configured for the module and alerts when usage exceeds the percentages configured for the module. This module also alerts when the system excessively deletes files in monitored disk usage categories, or when disk usage excluding those categories reaches excessive levels, based on module thresholds. Use the Disk Usage health status module to
monitor disk usage for the |
||
Host Limit |
FMC |
This module determines if the number of hosts the FMC can monitor is approaching the limit and alerts based on the warning level configured for the module. For more information, see Firepower System Host Limit. |
||
Hardware Alarms |
7000 & 8000 Series Threat Defense (physical) |
This module determines if hardware needs to be replaced on a physical managed device and alerts based on the hardware status. The module also reports on the status of hardware-related daemons and on the status of 7000 and 8000 Series devices in high-availability deployments. |
||
HA Status |
FMC |
This module monitors and alerts on the high availability status of the FMC. If you have not established FMC high availability, the HA Status is Not in HA. This module does not monitor or alert on the high availability status of managed devices, regardless of whether they are paired. The HA Status for a managed device is always Not in HA. Use the device management page to monitor devices in high availability pairs. |
||
Health Monitor Process |
Any |
This module monitors the status of the health monitor itself and alerts if the number of minutes since the last health event received by the FMC exceeds the Warning or Critical limits. |
||
Inline Link Mismatch Alarms |
Any managed device except ASA FirePOWER |
This module monitors the ports associated with inline sets and alerts if the two interfaces of an inline pair negotiate different speeds. |
||
Intrusion and File Event Rate |
Any managed device |
This module compares the number of intrusion events per second to the limits configured for this module and alerts if the limits are exceeded. If the Intrusion and File Event Rate is zero, the intrusion process may be down or the managed device may not be sending events. Select to check if events are being received from the device. Typically, the event rate for a network
segment averages 20 events per second. For a network segment
with this average rate, Events per second (Critical) should be
set to
The maximum number of events you can set for either limit is 999, and the Critical limit must be higher than the Warning limit. |
||
Interface Status |
Any |
This module determines if the device currently collects traffic and alerts based on the traffic status of physical interfaces and aggregate interfaces. For physical interfaces, the information includes interface name, link state, and bandwidth. For aggregate interfaces, the information includes interface name, number of active links, and total aggregate bandwidth. For ASA FirePOWER, interfaces labeled DataPlaneInterfacex, where x is a numerical value, are internal interfaces (not user-defined) and involve packet flow within the system. |
||
Link State Propagation |
Any except NGIPSv, ASA FirePOWER, Firepower 9300, Firepower 4100 series |
This module determines when a link in a paired inline set fails and triggers the link state propagation mode. If a link state propagates to the pair, the status classification for that module changes to Critical and the state reads:
where |
||
Local Malware Analysis |
Any |
This module alerts if a device is configured for local malware analysis and fails to download local malware analysis engine signature updates from the AMP cloud. |
||
Memory Usage |
Any |
This module compares memory usage on the appliance to the limits configured for the module and alerts when usage exceeds the levels configured for the module. For appliances with more than 4 GB of memory, the preset alert
thresholds are based on a formula that accounts for proportions
of available memory likely to cause system problems. On >4 GB
appliances, because the interval between Warning and Critical
thresholds may be very narrow, Cisco recommends that you
manually set the Warning
Threshold % value to Complex access control policies and rules can command significant resources and negatively affect performance. Some lower-end ASA devices with FirePOWER Services Software may generate intermittent memory usage warnings, as the device’s memory allocation is being used to the fullest extent possible. |
||
Power Supply |
Physical FMCs 7000 & 8000 Series |
This module determines if power supplies on the device require replacement and alerts based on the power supply status.
|
||
Process Status |
Any |
This module determines if processes on the appliance exit or terminate outside of the process manager. If a process is deliberately exited outside of the process manager, the module status changes to Warning and the health event message indicates which process exited, until the module runs again and the process has restarted. If a process terminates abnormally or crashes outside of the process manager, the module status changes to Critical and the health event message indicates the terminated process, until the module runs again and the process has restarted. |
||
Reconfiguring Detection |
Any managed device |
This module alerts if a device reconfiguration has failed. |
||
RRD Server Process |
FMC |
This module determines if the round robin data server that stores time series data is running properly. The module will alert If the RRD server has restarted since the last time it updated; it will enter Critical or Warning status if the number of consecutive updates with an RRD server restart reaches the numbers specified in the module configuration. |
||
Security Intelligence |
FMC and some managed devices |
This module alerts if Security Intelligence is in use and:
|
||
Smart License Monitor |
FMC |
This module alerts if:
|
||
Time Series Data Monitor |
FMC |
This module tracks the presence of corrupt files in the directory where time series data (such as correlation event counts) are stored and alerts when files are flagged as corrupt and removed. |
||
Time Synchronization Status |
Any |
This module tracks the synchronization of a device clock that obtains time using NTP with the clock on the NTP server and alerts if the difference in the clocks is more than ten seconds. |
||
URL Filtering Monitor |
FMCs |
This module alerts if the FMC fails to:
|
||
User Agent Status Monitor |
FMC |
This module alerts when heartbeats are not detected for any User Agents connected to the FMC. |
||
VPN Status |
FMC |
This module alerts when one or more VPN tunnels between Firepower devices are down. This module tracks:
|
Configuring Health Monitoring
Smart License |
Classic License |
Supported Devices |
Supported Domains |
Access |
---|---|---|---|---|
Any |
Any |
Any |
Any |
Admin/Maint |
Procedure
Step 1 |
Determine which health modules you want to monitor as discussed in Health Modules. You can set up specific policies for each kind of appliance you have in your Firepower System, enabling only the appropriate tests for that appliance.
|
||
Step 2 |
Apply a health policy to each appliance where you want to track health status as discussed in Creating Health Policies. |
||
Step 3 |
(Optional.) Configure health monitor alerts as discussed in Creating Health Monitor Alerts. You can set up email, syslog, or SNMP alerts that trigger when the health status level reaches a particular severity level for specific health modules. |