Products

Any

Definition

A stronger version of DES, which is the default encryption method for SSH version 1.5. Used when establishing an SSH session with the appliance.

3DES is a protocol that can be used to encrypt data in a VPN tunnel between two devices.

Usage

Docs—Expand on first use: 'Triple DES'

GUI—Do not expand.

Products

ASA, Firepower

Definition

In OSPF, a router with interfaces in multiple areas.

Usage

Docs—Expand on first use.

GUI—Do not expand.

Products

ASA, CDO, Firepower

Definition

A policy-based feature that allows you to inspect, log, and direct network traffic.

Also considered a security concept that concerns those firewall services and policies and rules that allow or deny network traffic to flow between internal and external networks.

Usage

Do not leave out 'control,' that is, Firepower has access control policies and access control rules, not access policies or access rules.

Do not use NGIPS as a synonym for access control.

Products

WSA

Definition

Access policies block, allow, or redirect inbound HTTP, FTP, and decrypted HTTPS traffic. Access policies also manage inbound encrypted HTTPS traffic if the HTTPS proxy is disabled.

Usage

Example: "It is possible for an access policy to define policy membership by a predefined URL category and for the access policy to perform an action on the same URL category."

Products

ASA

Definition

An ACE evaluates network traffic using one or more characteristics, including source and destination IP address, IP protocol, ports, EtherType, and other parameters, depending on the type of ACL. By default, traffic that is not explicitly permitted is denied.

The ASA stores ACEs like this and each entry is also considered an access control entry. Consider the ACE permit ip Foo Bar where these are the object groups:

object-group Foo
192.168.10.1
192.168.10.2
object-group Bar
10.10.20.1
10.10.20.2

ASA stores the ACE like this:

permit ip 192.168.10.1 10.20.1.1
permit ip 192.168.10.1 10.20.1.2
permit ip 192.168.10.2 10.20.1.1
permit ip 192.168.20.2 10.20.1.2

So, this example doesn’t imply that 4 individual entries are entered into the running config, they're just stored on the ASA that way.

Usage

Docs—Expand on first use.

Products

ASA

Definition

One or more access control entries (ACEs) that identify traffic flows by one or more characteristics, including source and destination IP address, IP protocol, ports, EtherType, and other parameters, depending on the type of ACL.

ACLs are named or numbered.

ASA has these types of ACLs:

• extended ACL

• standard ACL

• webtype ACL

• EtherType ACL

Products

Any

Definition

The Cisco Secure Access Control System (ACS) server is a RADIUS security server that is the centralized control point for managing network users, network administrators, and network infrastructure resources. This product has reached its end-of-life. Migration path is to the Cisco Identity Services Engine (ISE).

Usage

Docs—Expand on first use.

Products

Firepower

Definition

A component of a rule that determines how the system handles traffic that matches the rule.

Usage

Both 'action' and 'rule action' are acceptable, depending on context. You can use the name of the action to describe a rule, for example, 'block rule' or 'allow rule.'

Products

Threat Grid

Definition

The prioritization, remediation, and attribution of risk from malware that allows you to clean up, prioritize, remediate, and prevent threats more effectively in the future.

Usage

Example: "The analysis report provides detailed, actionable intelligence used by malware analysts and security teams to identify and prioritize potential threats."

Products

Stealthwatch

Definition

A host that is known to the Stealthwatch Flow Collector and that has transmitted a data packet in the last 5 minutes.

Contrast with 'inactive host.'

Products

ATS, Stealthwatch

Definition

See 'threat actor.'

Products

Cognitive, Stealthwatch

Definition

Attack against a network during which an unauthorized person gains access and remains undetected for an extended period of time. The purpose of the attack is to illicitly obtain data, such as financial or competitive information, rather than to cause damage to the network.

Usage

Docs—Expand on first use. Thereafter, can be shortened to APT.

Products

Cognitive

Definition

A term used to describe an asset or host when it has been touched by a finding, ranging from anomalous observed data to a threat or malware.

Usage

Do not use if redundant or implied in context. For example, on a page showing what anomalous data was observed on which assets in the network, avoid using 'affected asset' if 'asset' is sufficient.

Products

Stealthwatch Enterprise

Definition

A notification of unusual network activity or event that meets or exceeds a defined set of criteria that can indicate unacceptable behavior on your network.

Usage

Use as a noun.

Products

Stealthwatch Enterprise

Definition

A “bucket” toward which a defined list of security events contributes. When network activity meets or exceeds a defined set of criteria specified, it triggers an alarm. Contains only host alarms.

Alarm categories contain only host alarms. A host alarm is a security event that has triggered an alarm.

Products

Any

Definition

A type of alarm to prepare for action, or to warn of an approaching threat. To be on the alert is to be on the lookout for danger and ready to act.

See also 'alarm.'

Products

Firepower

Definition

A rule action that allows matching traffic to continue to the next stage of analysis or handling.

Note that an allow rule does not necessarily allow traffic to continue directly to its destination. For example, traffic that is allowed by a Firepower access control rule is still subject to network discovery, identity requirements, intrusion inspection, malware inspection, and rate limiting (QoS).

Contrast 'allow' with the 'trust' and 'fastpath' actions, which bypass more inspection.

Usage

Examples: allow rule, allow action, allow rule action

Products

Any

Definition

A list of senders, domains, or applications that are allowed or permitted access.

For example:

• In the SMA, the list specifies senders and domains that are never treated as spam.

• In the ESA, the list specifies known good senders that are not subjected to anti-spam scanning or rate limiting by the $TRUSTED mail flow policy.

• In Umbrella, this is a type of destination list with approved DNS addresses.

Contrast with 'block list' and 'blocked list.'

Usage

Synonyms: safelist, whitelist (do not use)

Standardize use around 'allow list' (to mean a list that allows).

In cases where it makes more sense, it's okay to use 'allowed list' (to mean a list of allowed items).

Products

AMP

Definition

Protective technology that monitors files, processes, memory, and network connections to detect and block known and unknown threats based on a variety of engines.

Products

Any

Definition

A process that takes information from sensors and processes it. Subtypes include:

• detection engine—consumes information (such as events, telemetry, and intelligence) and produces alerts

• enforcement engine—controls which activity on a network or an endpoint can take place (may also be known as enforcement agent or controller)

• enrichment engine—takes events and alerts and combines them with other data to annotate and aggregate them to support actions (such as triage and response)

• intelligence engine—extracts threat intelligence (in forms such as judgments and indicators) from a flow of information

• statistics engine—summarizes and generates telemetry from a flow of events and alerts

• triage engine—takes events and alerts, and escalates them into incidents, or otherwise helps to classify and filter them for presentation

Usage

Do not abbreviate intelligence as intel.

If the customer does not need to distinguish between multiple engines in order to choose one, you can refer to it as 'the engine' or 'the system' for simplicity.

Products

Firepower

Definition

A rule action that allows matching traffic to continue to the next stage of analysis or handling.

Firepower prefilter policies use the analyze action instead of the allow action.

Usage

Examples: analyze rule, analyze action, analyze rule action

Products

Firepower

Definition

A policy that has one or more descendant policies of the same type. These descendant policies inherit settings from the ancestor policy.

See also 'parent policy.'

Products

Cognitive

Definition

Information or event that was observed or happened in the network, that deviates from the baseline of normal network behavior monitored and established by the Cognitive system.

Contrast with 'sighting,' which implies recognition.

Products

Any

Definition

A deviation from what's normal or expected.

For instance, in Cognitive Intelligence, an anomaly is any unusual activity, trend, or event found by real-time monitoring or offline analysis of network property or entity behaviors.

Products

AnyConnect

Definition

Determines when AnyConnect software and profile updates can occur, as well as when to exclude certificate stores, enable FIPS mode, restrict caching, and so on.

Products

ASA

Definition

Lets a security appliance handle nonstandard applications so that they render correctly over a WebVPN connection.

Usage

Docs—Expand on first use.

Products

Cloudlock, Umbrella

Definition

A computer program generally accessed using web browsers in desktop operating systems, and natively on mobile devices. Apps are often associated with cloud services, and frequently offer limited and/or targeted functionality. Apps may not be versioned, particularly when they represent the user interface for a cloud-based service. Contrast with 'application.'

Usage

Can be used collectively, as in "...create a policy to block all social media apps in your environment." When referring to a specific app, use its trade name alone where possible ("...log in using Facebook", not "...log in using the Facebook app").

Products

Any

Definition

A device designed to perform a task such as protect computer networks from unwanted traffic.

Usage

Use the term 'device' instead. Avoid using 'appliance' and 'security appliance' as they are legacy terms.

'Appliance' is the hardware version of the ASA, and 'device' is the virtual version.

Use 'appliance' or 'security appliance' if you need to specifically refer to the product name. For example, Cisco Adaptive Security Appliance.

Products

Cloudlock, Umbrella

Definition

A computer program that runs natively in a desktop operating system. Applications are generally versioned. Contrast with 'app.'

Usage

When referring to a specific application, use its trade name alone where possible ("...open the file using Microsoft Excel", not "...open the file using the Excel application"). Do not use 'application program.'

Products

Stealthwatch

Definition

User-defined time when each Stealthwatch Flow Collector in the domain resets itself. Acceptable values are 0 to 23, where 0 is midnight local time. At the defined time, the Flow Collector resets all index counts to zero, saves the log and web files it has gathered during the preceding 24 hours, and then begins a new day (24 hours) of data collection. Defined on the Domain page of the Domain Properties dialog.

Products

AMP, Threat Grid

Definition

A file or other object generated by a submitted sample during analysis. An artifact may be any type of file, such a Word document, a graphic (.png, .jpg, etc.), or a downloaded executable. An artifact may be a file-like object, such as an image of a process running in memory. An artifact may be a SHA256, or an IP address or domain implicated in a compromise.

Usage

Example: "Artifacts are listed in the sample analysis report."

Products

ASA

Definition

Combines firewall, VPN concentrator, and intrusion prevention into one software image. Operates in single mode and multimode.

Usage

Docs—Use 'adaptive security appliance' on first reference when referring to the hardware. Thereafter, use 'security appliance' or 'appliance.'

Use ASA when referring to ASA models, for example: ASA 5508.

Products

Firepower

Definition

The short name for ASA with FirePOWER Services.

Usage

Docs—Use 'Cisco ASA with FirePOWER Services' for the first use. Then, you can say 'an ASA FirePOWER device' or just 'ASA FirePOWER.'

Do not use 'onbox' or 'Elektra.'

Products

Firepower

Definition

An ASA device running an ASA FirePOWER module (NGIPS).

Usage

Do not use 'onbox' or 'Elektra.'

Products

ASA, Firepower

Definition

An application for managing and configuring a single ASA.

Usage

Docs—Expand on first use.

Products

Cognitive

Definition

A component of the network environment, such as hardware, software, and information, that enables and supports the communication of data. In business terminology, something the business can put value on and hence evaluate the risk of a finding.

Products

Any

Definition

Validate that a user, device, or software process is who or what they say they are based on credentials, such as password, digital certificate, biometrics, or some combination.

Products

Threat Grid

Definition

A network that has been authorized for organization members (including devices) to access the Threat Grid Panacea server. Defined in the Authorized Networks field on the Organization page.

Products

ASA

Definition

In normal autostate mode, the Layer 3 interfaces remain up if at least 1 port in the VLAN remains up.

If you have appliances, such as load balancers or firewall servers that are connected to the ports in the VLAN, you can configure these ports to be excluded from the autostate feature to make sure that the forwarding SVI does not go down if these ports become inactive.

Products

Firepower

Usage

Docs—Expand on first use.

GUI—Always spell out, unless it's in a part of the GUI that's all about AVC, such as when a page title already clearly identifies the context as Application Visibility and Control, then you can abbreviate as needed.

Products

Umbrella

Definition

Refers to the idea that traffic is not directed immediately to its ultimate destination (for example, facebook.com), but is first routed through a nonoptimal hop- like NGFW running at the central datacenter, or the idea that all traffic from a remote office goes through the central office before heading out to the internet.

Often referred to when VPN traffic gets routed through the central node before letting it back out to the ultimate destination on the public internet.

Usage

Use as a verb.

Products

Hardware

Definition

The physical connection between an interface processor or card and the data buses and the power distribution buses inside a chassis.

Usage

Do not use to describe the back of the chassis.

Products

Firepower

Definition

If you're configuring policy inheritance or policy layers, the base policy is the lowest-level policy in the stack. Other policies of the same type inherit rules and settings from the base policy.

Products

Threat Grid

Definition

Key traits and behaviors that have been identified as indicators of malicious activity. Behavioral indicators include threat severity levels, HTTP traffic, DNS traffic, TCP/IP network sessions, processes, artifacts, registry activities, and more.

Usage

Do not abbreviate. Always spell out.

Do not use 'behavior' or the British spelling (behavioural).

Can be used interchangeably with IOC (indicators of compromise).

Products

Hardware

Definition

The program that starts the sensor and communicates between the devices in the appliance and the system.

Usage

Do not expand.

Usage

Do not use. Instead, standardize use around 'block list' (to mean a list that blocks).

In cases where it makes more sense, it's okay to use 'blocked list' (to mean a list of blocked items).

Products

Firepower

Definition

A rule action that blocks matching traffic without further inspection of any kind.

Usage

Examples: block rule, block action, block rule action

You can use 'block rule' as a bucket for block rules and block with reset rules, when the 'reset' part is irrelevant.

Products

Any

Definition

A list of senders, domains, or applications that are blocked or restricted from access.

For example, in the ESA, the list specifies known bad senders that get rejected by the $BLOCKED mail flow policy.

Contrast with 'allow list' and 'allowed list.'

Usage

Synonyms: blocklist, blacklist (do not use)

Standardize use around 'block list' (to mean a list that blocks).

In cases where it makes more sense, it's okay to use 'blocked list' (to mean a list of blocked items).

Products

Umbrella

Definition

A code that can be given to certain individuals (or a group of individuals) to allow them to go to some or all blocked websites until the code expires.

Usage

Can be shortened to 'bypass code.'

Products

Umbrella

Definition

A special user account that gives the rights to certain individuals (or a group of individuals) to go to blocked sites while still being part of the enforcement given to the larger policy group they belong to. For users of the Umbrella dashboard, it is a similar—but distinctly different—concept to Grant Permissions to a User in the Umbrella dashboard.

Products

Firepower

Definition

A rule action that blocks matching traffic without further inspection of any kind, and resets the connection.

Usage

Examples: block with reset rule, block with reset action, block with reset rule action

You can use 'block rule' as a bucket for block rules and block with reset rules, when the 'reset' part is irrelevant.

Products

Any

Definition

A collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software but it can also refer to the network of computers using distributed computing software. The term botnet is used to refer to a collection of compromised computers (called Zombie computers) running software, usually installed through worms, Trojan horses, or back doors, under a common command-and-control infrastructure.

Usage

Do not use to refer to an appliance, chassis, or device.

Products

ASA, Firepower

Definition

Spanning tree protocol hello packet that is sent out at configurable intervals to exchange information among bridges in the network.

Protocol data unit is the OSI term for packet.

Usage

Docs—Expand on first use.

GUI—Do not expand.

Usage

Do not use. Instead, standardize use around 'existing deployment.'

See also 'greenfield.'

Products

Any

Definition

Mode that lets packets continue to flow through the appliance even if the appliance fails. Bypass mode is only applicable to inline-paired interfaces.

Usage

Do not abbreviate. Always spell out.

Products

ETA

Definition

Histogram giving the frequency of occurrence for each byte value, or range of values, in the first N bytes of application payload for a flow.

Products

Any

Definition

The certificate issuer used to create server certificates or user public key certificates. Server and user certificates provide an additional confirmation of a server or a user identity.

A third-party entity that is responsible for issuing and revoking certificates. Each host with the public key of the CA can authenticate a host that has a certificate issued by the CA. The term CA also refers to software that provides CA services.

Usage

Synonym: certification authority

Docs—Expand on first use.

Products

Any

Definition

Certificate for one CA issued by another CA.

Products

Umbrella

Definition

Tool that allows internet users insight into what is happening in their DNS, empowering them to manually refresh DNS caches on their own. When a domain is failing and a website appears to be down, internet users can refresh the massive Umbrella caches and update them with the most current addresses for websites, in many cases enabling access automatically.

Usage

Use camel case: CacheCheck

Products

CWS, WSA

Definition

Placed between cloud service providers and their consumers, a CASB enforces security policies as cloud-based resources are being accessed, thereby addressing cloud service risks, even when cloud services are beyond the enterprise perimeter and out of the organization's direct control.

Usage

Docs—Expand on first use.

Products

Hardware, Software

Definition

An international set of guidelines and specifications developed for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments.

Usage

Docs—Expand on first use.

Products

Umbrella

Definition

From Umbrella service provider consoles (MSP, MSSP, ISP, Multi-Org), these settings are applied to a customer’s Umbrella policy settings (default policy or all policies depending on settings). They can be applied concurrently to multiple customers, including new customers as they come on board.

Usage

Upper case when referring to console feature.

Products

Any

Definition

A signed cryptographic object that contains the identity of a user or device and the public key of the CA that issued the certificate. Certificates have an expiration date and may also be placed on a CRL if known to be compromised. Certificates also establish nonrepudiation for IKE negotiation, which means that you can prove to a third party that IKE negotiation was completed with a specific peer.

Usage

Do not abbreviate. Always spell out.

Products

AnyConnect

Definition

The use of a digital certificate to identify users, appliances (that need to communicate with back-end services), desktops, laptops, and any mobile devices before granting access to a resource, network, application, and so on. The certificates are stored locally on the device. Unlike other solutions that only work for users (like biometrics or username/password), the same solution can be used for all endpoints.

Products

AnyConnect

Definition

Those certificates that match a specific set of keys established in the AnyConnect client profile with criteria such as key usage, extended key usage, and distinguished name.

Products

ESA, SMA

Definition

An authentication protocol for communicating with the RADIUS server for configuring external authentication or two-factor authentication on the appliance.

Usage

Docs—Expand on first use.

Products

Any

Definition

A physical structure that houses the hardware components.

Usage

Use in procedures where components are added to or removed from the chassis. Also used in the name FXOS Firepower Chassis Manager.

Products

Firepower

Definition

A descendant policy that inherits rules and settings from its immediate ancestor, or parent, policy.

Usage

Use 'child' only if you're talking about a policy and its immediate ancestor policy.

Otherwise, use 'descendant policy.' Do not use 'grandchild policy' or other such variations.

Products

Threat Grid

Definition

Cisco Integrated Management Controller

Usage

Docs—Expand on first use.

GUI—Do not expand.

Products

Any

Definition

Cisco’s enterprise architecture for intent-based networking across the campus, branch, WAN, and extended enterprise.

Cisco DNA is the core architecture that is the platform for software innovations and infrastructure.

The Cisco DNA architecture is delivered through:

• Cisco DNA Center: command and control for policy, automation, and analytics

• Cisco DNA Solutions: SD-Access, SD-WAN, and Assurance and Network Security

• Cisco DNA-ready physical and virtual infrastructure: switching, routing and wireless

Usage

Use camel case: Cisco DNA

When referring to Cisco DNA or Cisco DNA products and solutions, the complete term 'Cisco DNA' must be used.

'DNA' must be preceded by 'Cisco' in all content, diagrams, flow charts, presentations, keynotes, and so on.

Products

Any

Definition

Cisco system software that provides common functionality, scalability, and security for all products under the CiscoFusion architecture. Cisco IOS allows centralized, integrated, and automated installation and management of internetworks while supporting a wide variety of protocols, media, services, and platforms.

Usage

Do not expand.

Products

Threat Response

Definition

An investigative tool that leverages AMP, Investigate, Talos, Threat Grid, and other Cisco and 3rd party products and services, to simplify and speed up common incident response tasks by automating and collating research and response functions across those multiple products and tools.

Usage

Do not abbreviate. Always spell out.

Formerly known as Visibility.

Products

Solution including ASA

Definition

Provides access control that builds upon an existing identity-aware infrastructure to ensure data confidentiality between network devices and integrate security access services on one platform.

In the feature, enforcement devices use a combination of user attributes and endpoint attributes to make role-based and identity-based access control decisions. The availability and propagation of this information enables security across networks at the access, distribution, and core layers of the network.

https://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html

Usage

Docs—Expand on first use: Cisco TrustSec. Thereafter, can be shortened to TrustSec.

GUI—Use TrustSec.

Do not abbreviate as CTS.

Products

Umbrella

Definition

Cloud-based security platform that uses the internet’s infrastructure to block malicious destinations before a connection is ever established. Umbrella builds on a flexible, scalable cloud platform to continuously evolve ahead of the pace of threats, providing cloud-delivered network security for any device, anywhere, anytime.

Usage

Docs—Expand on first use.

Can be shortened to Umbrella.

Products

Firepower

Definition

Cisco Vulnerability Research Team

Usage

Do not use. See 'Talos.'

Products

CDO

Definition

Used in the context of CDO and serial number onboarding: A device is 'claimed' if its serial number has been onboarded to a CDO tenant.

Products

ASA

Definition

Used for Modular Policy Framework; the class map, using an ACL or other criteria, matches traffic for a service policy.

Products

AnyConnect

Definition

Determines various options in the Network Access Manager, such as connection settings, media types, end user controls, and administrative status.

Products

Cognitive

Definition

Incidents that have similar malware symptoms and correlated behaviors are grouped into a cluster.

Usage

May also be referred to as an 'incident group' or 'threat cluster.'

Products

Threat Grid Appliance

Definition

Two or more appliances joined together and saving data in a shared file system such that all nodes have the same data as the other nodes in the cluster. The main goal of clustering is to increase the capacity and scalability of a single system by joining several appliances together, and to support redundancy and recovery from failure.

Usage

Use as a noun or verb.

For clustering, do not use 'master' and 'slave.' Instead, use 'control' and 'data.'

Products

ESA

Definition

The name of a collection of threat feeds that is hosted on the TAXII server. For example, 'guest.Abuse.ch.'

Products

Umbrella

Definition

Cisco Umbrella blocks the command-and-control callbacks made by the botnet to prevent compromised devices from communicating with the attackers' infrastructure.

Usage

Docs—Expand on first use. Thereafter, can be shortened to 'C&C callback.'

Products

Cognitive

Definition

Server controlled by an attacker which is used to remotely send commands to a network of devices infected by malware or botnet.

Usage

Docs—Expand on first use. Thereafter, can be shortened to 'C&C server.'

Products

AMP for Endpoints

Definition

When a computer or device is in a hazardous or objectionable state as the result of one or more potentially related events, such as malware infection, credential theft, and so on.

Products

Any

Definition

An outside computer, not the Cisco product.

Usage

When you want to use a more informal tone, or if there's limited space, use the term 'PC' to refer to only Windows-based computers. If the docs or GUI applies to both Windows-based and Mac computers or only Mac computers, use the term 'computer.'

Products

Stealthwatch

Definition

Primary means by which the system notifies you of suspicious activity. The Stealthwatch Flow Collector adds points to the concern index whenever it observes possible attacks on one or more hosts. The greater the concern index, the greater the level of concern over that behavior. When activity surpasses 100% of the index threshold set for a particular host, the Flow Collector generates a High Concern Index alarm against that host.

See also 'alarm.'

Usage

Do not abbreviate. Always spell out.

Products

AnyConnect

Definition

This policy blocks traffic if a connection to the Cisco Cloud Web Security proxy server cannot be established or allows traffic when it can.

Products

AnyConnect

Definition

Determines how the user connects to the headend and to which tunnel group based on both its authentication and authorization configuration.

Products

AnyConnect

Definition

How Apple iOS checks other applications that start network connections, using the Domain Name System (DNS) and how match domain and host are defined.

Usage

Do not hyphenate.

Products

Any

Definition

A window in which the user interacts with an application or device using a command line interface.

Usage

Synonym: terminal window

Related: console port

Products

Umbrella

Definition

Web-based portion of the service provider products through which the user interacts with the software, configuring and monitoring the system. The parent org uses the console, child the dashboard.

Usage

Examples: MSP console, MSSP console, ISP console, Multi-Org console

Products

Any

Definition

A physical interface on an appliance into which you plug an Ethernet or other cable so that you can administer a device, or an application on that device, using a console.

Products

Umbrella

Definition

A grouping of websites with similarly themed content matching one of the types listed here: https://support.umbrella.com/hc/en-us/articles/231265768-Getting-Started-Category-Settings-and-Content-Category-Details

Usage

Sometimes referred to as just category.

Products

ESA

Definition

Used to process messages during the Per-Recipient Scanning phase of the work queue in the email pipeline. Content filters are evoked after Message filters and act on individual, splintered messages.

Products

ESA

Definition

The detection component of the data loss prevention scanning engine. A classifier contains a number of rules for detecting sensitive data, along with context rules that search for supporting data. For example, a credit card classifier not only requires that the message contain a string that matches a credit card number, but that it also contains supporting information such as an expiration data, a credit card company name, or an address.

Products

Threat Grid

Definition

Internal convention for a virtual machine image used for sample analysis.

Usage

GUI—Do not use.

Products

ESA

Definition

A bounce that occurs within the SMTP conversation. The two types of conversational bounces are hard bounces and soft bounces:

• hard bounce—a message that is permanently undeliverable

• soft bounce—a message that is temporarily undeliverable

Products

Cognitive

Definition

An incident is located by coordinates that describe where and when the incident happened. With sufficient granularity, you can use the coordinates to locate the incident and correlate with other systems.

Coordinates are composed of username, IP address, or MAC address coupled with a corresponding time span. For example, IP address 10.0.0.1 from Thursday to Friday.

A single set of coordinates may refer to only one incident at a time.

Products

Umbrella

Definition

Algorithmic classifier derived from co-occurrence patterns among domains. Co-occurrence of domains means that a statistically significant number of clients have requested both domains consecutively in a short time frame.

Usage

Avoid. Instead, use 'integrations.' When possible, be specific: ESA integration, Meraki integration, AMP for Endpoints Private Cloud integration, and so on.

Products

Umbrella

Definition

A digitally signed message that lists all of the current but revoked certificates listed by a given CA. This is analogous to a book of stolen charge card numbers that allow stores to reject bad credit cards. When certificates are revoked, they are added to a CRL. When you implement authentication using certificates, you can choose to use CRLs or not. Using CRLs lets you easily revoke certificates before they expire, but the CRL is generally only maintained by the CA or an RA. If you are using CRLs and the connection to the CA or RA is not available when authentication is requested, the authentication request fails.

Usage

Docs—Expand on first use.

Products

Any

Definition

This is a developer term used to describe the implementation of basic functionality.

In computer programming, create, read, update, and delete are the four basic functions of persistent storage. Alternate words are sometimes used, such as retrieve instead of read, modify instead of update, and destroy instead of delete.

Usage

If possible, avoid using 'CRUD' in external, customer-facing documentation.

Products

Threat Grid

Definition

Other Cisco appliances and products, such as the ESA/WSA appliances, that connect with Threat Grid through the Cisco Sandbox API ("CSA API").

Usage

Avoid. Instead, use 'integrations.' When possible, be specific: ESA integration, Meraki integration, AMP for Endpoints Private Cloud integration, and so on.

Products

CSM

Definition

The provisioning component of the Cisco Self-Defending Networks solution. CSM is fully integrated with CS-MARS.

Usage

Docs—Expand on first use.

Products

Threat Response

Definition

Closely based on STIX, CTIM includes common data models used by Cisco Threat Intelligence services.

Allows us to decompose the massive, comprehensive artifacts generated during malware sample analysis and extract the details most relevant to incident response into a data model specifically designed for rapid storage, retrieval, and enrichment.

Usage

Docs—Expand on first use.

Products

ASA

Definition

A protocol used in IP telephony between the Cisco CallManager and CTI TAPI and JTAPI applications. CTIQBE is used by the Cisco CallManager for call setup and voice traffic across the ASA.

Usage

If you need to explain this protocol, you can expand the acronym. Otherwise, this is like HTTP or RADIUS where it is not necessary to expand.

Products

ASA

Definition

Enables the ASA to provide faster traffic flow after user authentication. The cut-through proxy challenges a user initially at the application layer. After the ASA authenticates the user, it shifts the session flow and all traffic flows directly and quickly between the source and destination while maintaining session state information.

Usage

Always hyphenate cut-through. Cut-through is a compound modifier.

Products

Umbrella

Definition

Web-based portion of the Umbrella product through which the user interacts with the software to configure and monitor the system. In *SP, dashboard is what child org sees. Do not use dashboard for service provider consoles.

Products

AnyConnect

Definition

Determines what type of data (VPN, trusted, or untrusted) to send and whether the data (type, fields, or network state of the interface) is anonymized or not in NVM. The policy associates this data with a network type or connectivity scenario.

Products

Any

Definition

Devices and connections of a communications network that comprise the network end of the user-to-network interface. The DCE provides a physical connection to the network, forwards traffic, and provides a clocking signal used to synchronize data transmission between DCE and DTE devices. Modems and interface cards are examples of DCE.

Usage

Do not expand.

Products

Firepower

Definition

A rule action that decrypts encrypted traffic and passes it to the next phase of analysis. There are two kinds of decrypt actions:

• decrypt known key

• decrypt re-sign

Usage

Examples: decrypt rule, decrypt action, decrypt rule action, decrypt known key rule, decrypt re-sign rule

Products

WSA

Definition

Decryption policies determine whether HTTPS transactions should be decrypted, dropped, or passed through.

Usage

Example: "If a decryption policy is configured to block servers with a low Web reputation score, then any request to a server with a low reputation score is dropped without considering the URL category actions."

Products

Firepower

Definition

In a policy, the action the system uses when network traffic does not match any of that policy's rules or other settings.

Products

ESA

Definition

A bounce that occurs within the SMTP conversation. The recipient host accepts the message for delivery, only to bounce it at a later time.

Products

Any

Definition

Published in 1977 by the National Bureau of Standards and is a secret key encryption scheme based on the Lucifer algorithm from IBM. Cisco uses DES in classic crypto (40-bit and 56-bit key lengths), IPsec crypto (56-bit key), and 3DES (triple DES), which performs encryption three times using a 56-bit key. 3DES is more secure than DES but requires more processing for encryption and decryption.

See also 'AES' and 'ESP.'

Usage

Docs—Expand on first use.

Products

Firepower

Definition

A policy that inherits rules and settings from another policy of the same type.

See also 'child policy.'

Usage

Spell with an A: 'descendant.' Do not use an E: 'descendent.'

See http://grammarist.com/usage/descendant-descendent/.

Products

Any

Definition

Where the traffic is destined to arrive.

A target network, host, port, domain, URL, or IP address for which a request is being made.

Usage

Do not abbreviate. Always spell out.

For example, 'www.domain.com' is one type of destination.

Products

Umbrella

Definition

A list of destinations (for example, domain name, URL, or IP address) that is used to manage—block or allow—customer or organization access to specific internet destinations.

Usage

Use as a noun.

Products

Any

Definition

Generic term that may refer to a Cisco security product after you've officially introduced it. May also refer to a device connected to the Cisco security product to communicate with the network, such as a firewall, router, switch, or computer. Can be a physical hardware or virtual device.

Usage

Can use specific term with device. Examples: network device, managed device, mobile device

Products

Threat Grid

Definition

User. Each device is treated as a user record.

Products

Threat Grid

Definition

Licensing authority for device entitlements.

Usage

GUI—Capitalize: Device User.

Docs—Do not capitalize: device user.

Usage

See 'certificate.'

Products

Stealthwatch Enterprise

Definition

A set of rules that offers additional control through the policy feature. It is a solution to either of the following scenarios when you are investigating a security event:

• The behavior you discovered is of concern in general, but not for the current situation.

• The behavior you discovered is of concern, but in only a few specific situations.

Products

Threat Response

Definition

Calculated from an analysis engine about the intent or nature of an observable: whether it's malicious, suspicious, unknown, common, clean, and so on.

Usage

The role of a disposition is different. It’s more of an actionable statement, as opposed to a measure of threat. Here's a translation mapping between disposition in Threat Response and threat level in Talos:

Malicious

Untrusted

Suspicious

Questionable

Unknown

Neutral

Common

Favorable

Clean

Trusted

No judgement objected returned

Unknown

Products

ESA, Cloudlock

Definition

A data loss prevention incident occurs when a DLP policy detects one or more DLP violations that merit attention in an outgoing message.

Usage

Docs—Expand on first use.

Products

ESA, Cloudlock

Definition

A set of conditions used to determine whether content contains sensitive data and the actions that can be taken on the content that contains such data.

Usage

Docs—Expand on first use.

Products

ESA, Cloudlock

Definition

An instance of data being found in a message that violates your organization’s DLP rules.

Usage

Docs—Expand on first use.

In Cloudlock, this is called a policy violation. The policy is a DLP policy, but Cloudlock does not use this specific terminology.

Products

Umbrella

Definition

Cisco Umbrella approach to securing the critical 'last mile' of DNS traffic and resolving an entire class of serious security concerns with the DNS protocol.

Usage

Use camel case: DNSCrypt

Products

Umbrella

Definition

A free service from Cisco Umbrella that gives you an easy way to distribute your dynamic IP changes to multiple services with a single update.

Products

Software

Definition

The DoDIN APL is the single approving authority for all Military Departments (MILDEPs) and DoD agencies in the acquisition of communications equipment that is to be connected to the Defense Information Systems Network (DISN) as defined by the Unified Capabilities Requirements (UCR).

Usage

Docs—Expand on first use.

The DoD has changed the name of the list it uses for the procurement of IT products to be used over the DoD network infrastructures. Therefore, use DoDIN APL instead of Unified Capabilities Approved Products List (UC APL).

Products

Any

Definition

An identification string that refers to one or more IP addresses. Registered in the Domain Name System (DNS) and used to provide recognizable names to numerically addressed resources on the internet. A domain is the name of a website.

Products

Firepower

Definition

A rule action that passes encrypted traffic to the next phase of analysis, without decrypting it.

Usage

Examples: do not decrypt rule, do not decrypt action, do not decrypt rule action

Products

Any

Definition

An attack in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby disrupting access and denying service to the system to legitimate users.

Usage

Docs—Do not expand unless context requires it.

Products

Hardware

Definition

Generic term to refer to a drive when it is not necessary to point out what specific drive it is.

Usage

Use as the generic term.

Products

Firepower

Definition

Block.

Usage

Avoid, except in legacy products and documentation.

Products

Firepower

Definition

An intrusion rule action that drops (blocks) matching packets, and logs an intrusion event. You cannot block without logging. Contrast with the generate events action, which logs an intrusion event without dropping matching packets.

An intrusion rule with a drop and generate events action is like an access control rule with a block action and logging enabled.

Usage

Avoid, except in legacy products and documentation.

Products

Any

Definition

A Cisco-proprietary protocol in the VLAN group used for negotiating trunking on a link between two devices and for negotiating the type of trunking encapsulation (ISL or 802.1q) to be used.

Usage

Docs—Expand on first use.

Products

Threat Grid, Firepower

Definition

Sample analysis includes processes that capture any actions that are performed by the file. This is the dynamic analysis of the sample submission. For example, making a change to the registry, creating other files, launching executables, communicating with a remote IP address, generating other artifacts, and so on.

Dynamic analysis also includes emulating user behavior with playbooks. These are canned sets of user behaviors, such as clicking the OK button in a dialog, which may be selected during sample submission. Many user actions will trigger malware. The results of running a playbook is part of the dynamic analysis.

Products

Any

Definition

Translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool typically includes fewer addresses than the real group. When a host you want to translate accesses the destination network, the ASA assigns the host an IP address from the mapped pool. The translation is added only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not keep the same IP address after the translation times out.

Usage

Do not abbreviate 'dynamic NAT.'

Products

Any

Definition

Translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. Lets multiple outbound sessions appear to originate from a single IP address. With PAT enabled, the appliance dynamically chooses a unique port number from the PAT IP address for each outbound translation slot (xlate). This feature is valuable when an ISP cannot allocate enough unique IP addresses for your outbound connections. The global pool addresses always come first, before a PAT address is used.

Usage

Do not abbreviate 'dynamic PAT.'

Products

Any

Definition

The action of traffic going out.

Usage

Verb: the packet egresses immediately

Adjective: egress interface, egress security zone

Products

Any

Definition

This is a Cisco-proprietary protocol.

The ASA does not support EIGRP.

Usage

Docs—Expand on first use.

GUI—Do not expand.

Products

ESA

Definition

A single, comprehensive dashboard to manage all email security services and applications on IronPort appliances. Email Security Manager lets you manage outbreak filters, anti-spam, anti-virus, and email content policies on a per recipient or per sender basis through distinct inbound and outbound policies.

Usage

Do not abbreviate. Always spell out.

Products

Any

Definition

A syslog format designed to be consistent with the Cisco IOS system log format and is more compatible with CiscoWorks management applications.

Usage

Docs—Expand on first use.

GUI—Do not expand.

Products

Threat Response

Definition

Detection of an observable outside of my environment (off network).

See also 'sighting.'

Products

Any

Definition

A computing device used to connect to and communicate on a network.

Usage

Examples: desktops, laptops, smartphones, tablets, servers, workstations

Products

Threat Grid

Definition

API endpoints are URIs representing server resources that can be used by client applications.

Products

Stealthwatch Enterprise

Definition

An appliance that analyzes high-value endpoint contextual data collected by the AnyConnect NVM.

Usage

Features do not require the branded portion of the name; they'll only be used within the Cisco Stealthwatch context.

Products

AMP

Definition

Process of isolating a compromised endpoint by blocking all network traffic to and from the endpoint. This prevents command-and-control communication, exfiltration of sensitive information, and further spread of malware. Can allow certain IP addresses to access the endpoint to perform forensics and cleaning of threats.

Synonym: node isolation

Products

Threat Grid, Threat Response

Definition

Annotating or collecting events with threat intelligence, correlated events, and security context. For example, in Threat Grid, the process of using the database to build up context around an observation or a piece of suspicious information, such as a behavioral indicator. By searching the database for related indicators, and following those relationships to other information, you can enrich the information with the context necessary to generate the actionable intelligence to address the problem.

Products

Threat Grid

Definition

A Threat Grid product or service that has been purchased and is covered in the license agreement. For example, access to Threat Grid Cloud portal and APIs. Entitlements are listed on the Organization Details page.

Use the following to describe times and dates related to entitlements:

• entitlement start—the date the entitlement goes into effect

• entitlement stop—the last day of the entitlement subscription period

• entitlement lapse—time from the entitlement stop date to the end of the entitlement grace period

• entitlement grace period—five days after the entitlement stop date

• entitlement terminated—end of the entitlement grace period

Products

Stealthwatch Cloud

Definition

Host or endpoint on the network, whether in the cloud or on the local network.

Products

Stealthwatch Cloud

Definition

Analysis of the behavior for every entity on the network or in the public cloud to determine abnormal, suspicious, and malicious activity.

Products

ESA

Definition

The recipient of an email message as defined in the RCPT TO: SMTP command. Also, sometimes referred to as the 'Recipient To' or 'Envelope To' address.

Products

ESA

Definition

The sender of an email message as defined in the MAIL FROM: SMTP command. Also, sometimes referred to as the 'Mail From' or 'Envelope From' address.

Products

Hardware

Usage

Do not use. Instead, use 'network module.'

Products

Hardware

Definition

The rapid movement of a charge from one object to another object, which produces several thousand volts of electrical charge that can cause severe damage to electronic components or entire circuit card assemblies.

Usage

Do not expand.

Products

ESA

Definition

Used to download information about a collection of threats that is available on a TAXII server.

Usage

Docs—Expand on first use.

Products

ASA

Definition

An ACL that applies to non-IP layer-2 traffic on bridge group member interfaces only. You can use these rules to permit or drop traffic based on the EtherType value in the layer 2 packet. With EtherType ACLs, you can control the flow of non-IP traffic across the device.

Usage

Use camel case: EtherType

Products

Any

Definition

A change of state or observed activity that has occurred on the network or endpoint which has a security significance for the management of the network. Not necessarily suspicious, a cause for alarm, or a security threat.

Products

Cloudlock

Definition

Pattern allowed by a DLP policy.

Products

AMP

Definition

A type of list that specifies an application, process, directory, and so on that should be ignored (not scanned) by the endpoint Connector.

Products

Cognitive, Umbrella

Definition

Attack on a computer system that takes advantage of a particular vulnerability that the system offers to intruders.

Products

Cognitive, Umbrella

Definition

Server-based toolkit used to automate attacks by targeting client-side vulnerabilities in browsers and other software.

For example, the Blackhole exploit kit is the most prevalent web threat (as of 2012). Its purpose is to deliver a malicious payload to a victim's computer. It incorporates tracking mechanisms, so that intruders maintaining the kit can obtain information about the victims.

Usage

Depending on context, can be abbreviated as EK.

Products

Any

Definition

A group of ACEs with the same ACL ID or name. This is more obvious in ASDM where ACLs are named and the ACEs that comprise them are nested under the name. These ACLs are used for access rules to permit and deny traffic through the device, and for traffic matching by many features, including service policies, AAA rules, WCCP, Botnet Traffic Filter, and VPN group and DAP policies. Extended ACLs are also used to determine the traffic to which other services will be provided.

Types of extended access rules:

• extended access rules (Layer 3+ traffic) assigned to interfaces

• extended access rules (Layer 3+ traffic) assigned to Bridge Virtual Interfaces (BVI routed mode)

• extended access rules assigned globally

• management access rules (Layer 3+ traffic)

• EtherType rules (Layer 2 traffic) assigned to interfaces (bridge group member interfaces only)

Usage

Always use 'extended ACL.' Do not expand to 'extended access control list.'

An extended ACL is not specifically identified as such in the interface but it is obvious from the creation of the ACE.

Products

Stealthwatch

Definition

Data received from technologies other than flow export technologies and associated with behavior-based, flow-driven events.

Products

Any

Definition

The state of a device or software where traffic is blocked when traffic handling is busy or down.

For example, an AnyConnect fail closed policy disables network connectivity when the VPN is unreachable.

Contrast with 'fail open.'

Usage

Noun: fail closed

Adjective: fail-closed

Products

Any

Definition

The state of a device or software where traffic continues flowing when traffic handling is busy or down.

For example, you can configure Firepower to allow traffic to pass without intrusion inspection when the inspection engine is down.

For example, an AnyConnect fail open policy permits network connectivity when the VPN is unreachable.

Contrast with 'fail closed.'

Usage

Noun: fail open

Adjective: fail-open

Synonym: failsafe

This is not the same as 'fail-to-wire' or 'hardware bypass.'

Products

ASA

Definition

Failover lets you configure two ASAs so that one takes over operation if the other one fails. The ASA supports two failover configurations, Active/Active failover and Active/Standby failover. Each failover configuration has its own method for determining and performing failover.

With Active/Active failover, both units can pass network traffic. This lets you configure load balancing on your network. Active/Active failover is only available on units running in multiple context mode.

With Active/Standby failover, only one unit passes traffic while the other unit waits in a standby state. Active/Standby failover is available on units running in either single or multiple context mode.

For an ASA, high availability is a condition achieved when two ASAs are configured in an Active/Standby or Active/Active failover mode.

Usage

Noun, adjective: failover

Verb: fail over

Products

ASA, Hardware

Definition

A characteristic of an inline set that lets packets bypass processing and continue through the device if internal traffic buffers are full.

Usage

Synonym: fail open

This is not the same as 'fail-to-wire' or 'hardware bypass.'

Products

Firepower

Definition

A physical layer bypass that allows paired interfaces to go into bypass mode so that the hardware forwards packets between these port pairs without software intervention. Provides network connectivity when there are software or hardware failures.

Usage

Do not abbreviate. Always spell out.

Synonym: hardware bypass

This is not the same as 'fail open' or 'failsafe.'

Products

Umbrella

Definition

A special service offered by Cisco Umbrella that is distinct from our standard packages. Meant for home users who want to keep their children from seeing inappropriate images on their computers, FamilyShield always blocks domains categorized in our system as Tasteless, Proxy/Anonymizer, Sexuality, or Pornography.

Usage

Use camel case: FamilyShield

Products

Firepower

Definition

Exempt traffic from all further inspection and control, most often used in the context of prefiltering.

Usage

Capitalize according to style guidelines, except when referring to the prefilter or tunnel rule action, which is always capitalized: the 'Fastpath action.'

8000 Series fastpath rules are device-specific rules that are not related to prefiltering. Always refer to these as '8000 Series fastpath rules' to disambiguate.

Products

Any

Definition

Curated security-related information such as behavioral indicators, malware signatures, security policies and so on, that are often delivered by security service providers on a subscription basis, to enhance the security posture of an application or device. The goal of these feeds is to give customers the most up-to-date security information possible.

Products

Umbrella

Definition

Tool to enable administrators to download the Top Domains log data that has been collected for a network. Useful when downloading data ranges that are greater than 200 records, which is the file-size limit for an online download from the Umbrella Stats page.

Products

REST API

Definition

A single piece of information within an object model.

Products

Stealthwatch

Definition

Tracks atypical file transfers, which could indicate peer-to-peer activity, that could place an organization at risk. Once the file-sharing activity for a particular host causes its file-sharing index points to surpass 100% of its threshold, the Stealthwatch Flow Collector generates a High File-Sharing Index alarm.

See also 'alarm.'

Usage

Do not abbreviate. Always spell out.

Products

Hardware, WSA

Definition

Federal Information Processing Standards (FIPS) specify requirements for cryptographic modules that are used by all government agencies to protect sensitive but unclassified information.

For hardware, it refers to the opacity shield with tamper-resistant labels covering the front panel of the chassis.

Usage

Docs—Expand on first use.

Products

Stealthwatch Enterprise

Definition

A physical or virtual device that aggregates and normalizes NetFlow and application data collected from up to 4000 exporters (such as Cisco routers and switches) per Flow Collector.

Usage

Features do not require the branded portion of the name; they'll only be used within the Cisco Stealthwatch context.

Products

Stealthwatch Enterprise

Definition

A physical or virtual device that provides an overlay solution for generating NetFlow data for older Cisco network infrastructures not capable of natively producing unsampled NetFlow data at line rates, for third-party components that do not support unsampled NetFlow, and for other environments where additional security context is required.

Usage

Features do not require the branded portion of the name; they'll only be used within the Cisco Stealthwatch context.

Products

NGFW

Definition

A tool to migrate ASA firewall configurations to Firepower Threat Defense (FTD).

Usage

Use the term abbreviation in collateral such as presentations and best practice guides.

For example, "The Cisco FMT helps you migrate your firewall to FTD."

Products

Security Online Visibility Assessment, Stealthwatch Cloud, Stealthwatch Enterprise

Definition

Number of NetFlow packets detected per second. Used for licensing.

Usage

GUI—Do not expand.

Docs—Do not expand unless context requires it.

Products

Any

Definition

A domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including the top-level domain and the root zone.

Always written in this format: [host name].[domain].[tld]. For example, a mail server on the example.com domain may use the FQDN mail.example.com.

Usage

GUI—Do not expand.

Docs—Do not expand unless context requires it.

Products

Any

Usage

Do not expand.

Products

Any

Usage

Do not expand.

Products

Umbrella

Definition

Algorithmic classifier that looks at where DNS requests originate, and how far away the requests are from the IP address’ geolocation. The classifier then compares the geographic distribution of DNS requests with the predicted one for the top-level domain (for example, RU, CN, COM).

Products

Any

Definition

Setting that applies to everything.

Usage

Not to be confused with 'Global domain.'

Products

ASA

Definition

Lets you change the ASA configuration. All user EXEC, privileged EXEC, and global configuration commands are available in this mode.

Products

Firepower

Definition

In a multidomain deployment, the top-level domain. If you do not configure multitenancy, all devices, configurations, and events belong to the Global domain. Administrators in the Global domain can manage the entire Firepower System deployment.

Products

Umbrella

Definition

A community of VPN-enabled gateways located at various points throughout the world. Each VPN can communicate with every other member of the community through a VPN tunnel.

Products

Umbrella

Definition

The Cisco Umbrella global network is comprised of geographically distributed data centers serving 50 million active users daily in more than 160 countries, and delivering the industry’s best uptime. Combined with Umbrella network security services, it provides the ultimate coverage, efficacy, and performance. Umbrella's infrastructure that handles more than 2 percent of the world’s daily internet requests with proven 100 percent uptime. It enforces security policies with no added latency, and in minutes covers any device worldwide, for Umbrella.

Products

Umbrella

Definition

Network of servers managed by Cisco Umbrella that are used to resolve DNS queries.

Usage

Do not use. Instead, standardize use around 'new deployment.'

See also 'brownfield.'

Products

AnyConnect, ASA, Firepower

Definition

A collection of attributes and their values that define behaviors of a remote access VPN connection. Attributes in the group policy are stored internally on the ASA, or externally on a AAA server. Group policies are associated with connection profiles (tunnel groups) and local user accounts. Based on the system’s configuration, a group policy is determined and assigned to remote access clients upon the establishment of a VPN connection.

Products

Threat Grid

Definition

Trusted signing authority that is included on allowed lists.

Usage

Do not use in interface or documentation. This is an internal-use-only term.

Products

ASA, FMC, FxOS

Definition

Ensures that traffic continues to flow between an interface pair during a power outage. This feature can be used to maintain network connectivity in the case of software or hardware failures.

Usage

Noun: hardware bypass

Adjective: hardware-bypass

Synonym: fail-to-wire

This is not the same as 'fail open' or 'failsafe.'

Standardize terminology around 'hardware bypass.'

Products

Hardware

Definition

A specialized interface card that pairs physical interfaces so that when a software error is detected, a bypass mechanism is engaged that directly connects the physical interfaces and allows traffic to flow through the pair. The hardware bypass passes traffic at the network interface; it does not pass it to the system.

Usage

This is not the same as 'fail open.'

Products

ESA

Definition

Maintains a set of rules that controls incoming connections from remote hosts for a listener. Every listener has its own HAT. HATs are defined for public and private listeners, and contain mail flow policies and sender groups.

Usage

Docs—Expand on first use.

Example: "The settings configured in the listener, including its Host Access Table and Recipient Access Table, affect how the listener communicates with an SMTP server during the SMTP conversation."

Products

Hardware

Usage

Do not expand.

Products

ASA, Firepower

Definition

A pair of devices configured for failover to provide redundancy. Common configurations to achieve high availability are active/standby and active/active.

Usage

Lower case.

Do not abbreviate as 'HA' in interfaces or documentation.

In this context, do not use 'master' and 'slave.' Instead, use 'primary' and 'secondary.'

Products

Any

Definition

A device that is connected to a network and has an IP address.

Products

Stealthwatch Enterprise

Definition

A security event that has triggered an alarm for an endpoint Stealthwatch is monitoring.

Usage

Use singular or plural in the GUI.

Products

Firepower

Definition

Contextual information about a host gathered by network discovery. Can contain attributes such as basic topology data, device type, operating system, and applications installed on the host.

Products

Any

Definition

A label used to identify a host on a network.

Products

Any

Definition

A minor update to a security device that addresses a particular, urgent problem that cannot wait for the next release. Hotfixes are applied to “hot" (in use) devices. As much as possible, a hotfix should not interrupt normal operations.

Usage

Use as a noun.

Products

Hardware

Definition

Lets you add components that expand the system but would not cause interruption to the system.

Usage

Two words.

Verb: hot plug

Noun: hot plugging

Adjective: hot-pluggable

Products

Hardware

Definition

Lets you add, replace, or remove components without interrupting the system power, entering console commands, or causing other software or interfaces to shut down.

Usage

Two words.

Verb: hot swap

Noun: hot swapping

Adjective: hot-swappable

Products

Any

Definition

A set of attributes, maintained by an authoritative identity source (such as Microsoft Active Directory or LDAP server) that describes a user. Examples of attributes include username, password, group associations, and so on.

Usage

Do not abbreviate. Always spell out.

Products

Umbrella

Definition

An entity you create in Umbrella that you can apply policy to and report on. An identity can be an entire network, or as granular as an individual user or device.

Usage

Do not abbreviate. Always spell out.

Products

ASA

Definition

Provides granular access control based on users’ identities rather than through source IP addresses.

This concept, along with detailed implementations, is documented in the ASA configuration guide.

Products

Any

Definition

A real address is statically translated to itself, essentially bypassing NAT. You might want to configure NAT this way when you want to translate a large group of addresses, but then want to exempt a smaller subset of addresses.

Usage

Do not abbreviate 'identity NAT.'

Products

ASA, Firepower

Definition

An identity policy associates traffic on your network with an authoritative identity source and a realm.

You can configure access rules and security policies based on identity attributes rather than through source IP addresses.

After configuring one or more identity policies, you can associate one with an access control policy and deploy the access control policy to a managed device.

Usage

Do not abbreviate. Always spell out.

Products

Umbrella

Definition

A category in which an identity is included. For example, networks, network devices, and roaming computers are identity types. Identities are grouped by type in order to design and apply policies consistently.

Usage

Do not abbreviate. Always spell out.

Products

Stealthwatch

Definition

A host that is known to the Stealthwatch Flow Collector but has not transmitted a data packet in the last 5 minutes.

Contrast with 'active host.'

Products

ASA

Definition

Inbound access rules apply to traffic as it enters an interface. Global and management access rules are always inbound.

Products

AMP, Cognitive, CWS

Definition

An event, use, or behavior that does not conform to an established standard, and that is considered a possible security threat.

Can be comprised of multiple events. For example, a malicious PDF file exploits an Acrobat vulnerability to execute a PE file, which in turn downloads malware, which is then detected and quarantined. Each of those events – exploit, download, detection, quarantine – makes up the single incident.

Usage

Use modifiers to describe different types, such as retrospective incident, incident response, low-risk incident, and high-risk incident.

Products

Threat Grid

Definition

A verdict that indicates the subject's risk cannot be determined.

Products

Stealthwatch Enterprise

Definition

A value that represents an observed use of behavior that matches a defined set of criteria.

When the accumulated index points meet or exceed a designated threshold, Stealthwatch triggers the applicable alarm.

Products

Any

Definition

A trait, behavior, pattern, or set of conditions that indicates the presence of malicious activity or the possibility of a compromise as observed in the field. Not all indicators are behavioral. See 'behavioral indicator.'

Additionally, in Threat Response, an indicator can be a collection of judgements or a pattern specification that a sensor uses to characterize events or observed activity.

Usage

Can be used interchangeably with indicators of compromise (IOC).

Products

Cognitive

Definition

A term used to describe an asset or host when you know it is affected by a threat or malware and needs remediation.

Usage

Do not use if redundant or implied in context. For example, on a page showing what malware was found on which hosts in the network, avoid using 'infected host' if 'host' is sufficient.

Products

Any

Definition

A configuration where devices can affect network traffic flow. Contrast with passive, where you can analyze and respond to, but not affect, the flow of traffic.

Usage

Adjective: inline deployment, inline interface, inline mode

Products

Threat Grid

Definition

A verdict that indicates the subject is listed in the National Software Reference Library (NSRL) database, a repository of known software.

Products

ASA, Firepower, Hardware

Definition

The first interface, usually port 1, that connects your internal "trusted" network protected by the appliance.

Products

Firepower

Definition

A rule action used when any inspection properties are applied to the match criteria.

Within an access control policy, access control rules provide a granular method of handling network traffic across multiple managed devices. Each rule also has an action, which determines whether you monitor, trust, block, or allow matching traffic. When you allow traffic, you can specify that the system first inspect it with intrusion or file policies to block any exploits, malware, or prohibited files before they reach your assets or exit your network.

Usage

Examples: inspect rule, inspect action, inspect rule action

Products

Threat Response

Definition

An engine, website, or group of people that produces indicators and related data around malware, attack patterns, weaknesses, campaigns, actors, and targets.

Usage

Do not abbreviate intelligence as intel.

Products

Umbrella

Definition

When your computer makes a DNS query for a site that sometimes hosts bad content, the Intelligent Proxy kicks in to protect you. Instead of returning the correct address of the website, the DNS server returns the address of the Intelligent Proxy, where Umbrella security software can take a deeper look at the site and protect you as needed.

Usage

Do not abbreviate. Always spell out.

Products

Firepower

Definition

A rule action that allows users to load an initially blocked website after reading a warning.

Products

Any

Definition

The connection between a particular network and an appliance.

Usage

Use as a noun.

Products

ASA, Firepower

Definition

The use of PAT where the PAT IP address is also the IP address of the outside interface.

Usage

Docs—Expand on first use.

Do not abbreviate 'interface PAT.'

Products

Firepower

Definition

An IPS alert was an alert generated by the Sourcefire Intrusion Prevention System (IPS).

Usage

Use 'intrusion alert' instead of 'IPS alert.'

Products

Firepower

Definition

An event logged when network traffic hits an intrusion rule.

Usage

Use 'intrusion event' instead of 'IPS event.'

Products

Stealthwatch

Definition

A grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An intrusion set may capture multiple campaigns or other activities that are all tied together by shared attributes indicating a common known or unknown threat actor.

Products

Umbrella

Definition

A Cisco Umbrella threat intelligence product.

Usage

Docs—Expand on first use. Investigate by Cisco Umbrella. Thereafter, can be shortened to Investigate.

Always capitalize.

Products

Any

Definition

Used to communicate across any set of interconnected networks. Well suited for LAN and WAN communications.

Usage

Do not expand.

Products

Any

Definition

An Internet Protocol address.

Usage

Do not shorten to 'IP.'

Refers to both IPv4 and IPv6 addresses.

Usage

Legacy term. Going forward, do not use. Instead, use 'intrusion alert.'

Usage

Legacy term. Going forward, do not use. Instead, use 'intrusion event.'

Products

Threat Response

Definition

A statement by a human or analysis engine that declares the perceived, calculated disposition of an observable: whether it's malicious, clean, suspicious, common, unknown, and so on. There can be many judgements. Judgements are the basis for returned verdicts. They're also the primary means by which users of Threat Response go from observables on their system, to the indicators and threat intelligence data in Threat Response.

The judgement has more than just the disposition. It’s a record of which engine made the judgement, how long it is valid, why the judgement was made, and where more details can be seen.

Products

Threat Response

Definition

A model of the progress of a security compromise. The dominant one being from Lockheed Martin, using it as a structure for modeling intrusion attacks on a network. The phases are:

• recon

• weaponization

• delivery

• exploitation

• installation

• command and control

• actions

Products

Hardware

Usage

Expand on first use to differentiate from other uses.

Products

Hardware

Usage

Expand on first use to differentiate from other uses.

Products

AnyConnect

Definition

When a VPN is unreachable, the client applies the last client firewall received from the ASA.

Products

Umbrella

Definition

Classifiers used to detect fast flux. Fast flux is a DNS technique that botnet command-and-control infrastructures use to hide behind a compromised system that acts like a proxy.

Products

ASA, Firepower

Definition

A process on a Firepower Threat Defense device. It is closely associated with the ASA software and is frequently used by engineering as a reference to the ASA side of the bicameral FTD brain (the other side being Snort). Lina is closely associated with deploying and interpreting ASA configuration commands, which are used to configure ASA-based features such as routing.

Usage

GUI—Do not use.

In most cases, you can use 'data plane' or 'the system, whichever is appropriate.

Configuration commands that appear in the show running-config output are 'ASA configuration commands.' Commands that originally came from the ASA but now are exposed in the converged CLI are called 'Firepower Threat Defense commands.'

In the documentation, you can use 'lina' if you are specifically discussing troubleshooting at the process level. Also, the first time you refer to the data plane in a book, you can say 'the data plane (sometimes called lina)...'

Products

Hardware

Definition

A network device that distributes traffic to optimize performance and resource use. Using discovery, the system can identify load balancers.

Products

ASA, Firepower, Stealthwatch

Definition

An application used to configure a device dedicated to performing a single function. It is "local" because it is installed on the same appliance as the device's software, or it is delivered with the device's software. A local device manager only manages the device it is installed on or delivered with.

Firepower Device Manager and Stealthwatch Central Manager are examples of local device managers. The command line interface for a device is also considered a local device manager.

Usage

Do not use 'on-box manager' in place of 'local device manager.'

Products

Hardware

Usage

Expand on first use to differentiate from other uses.

Products

Hardware

Definition

The ability for an administrator to monitor and manage systems and their power by remote control.

Usage

Expand on first use to differentiate from other uses.

Products

CDO

Definition

Refers to the process of shipping an FTD from the factory to a customer site (typically a branch office). An employee at the site connects the FTD to their network, and the device contacts the Cisco Cloud. At that point, the device is onboarded to the CDO tenant if its serial number has already been claimed, or the FTD is parked in the Cisco cloud until it is claimed by a CDO tenant.

The device is configured to receive its address by DHCP and the FTD’s default password has not been changed.

The user interacting with the hardware is expected to have limited or no interaction with the device other than to plug it in and assess the status lights.

See also 'claimed,' 'parked,' and 'serial number onboarding.'

Usage

At the beginning of a sentence: Low-touch provisioning

In the middle of a sentence: low-touch provisioning

As a field name or title: Low-Touch Provisioning

After first use, can be shortened to LTP.

Products

Any

Usage

Do not use to refer to an appliance, chassis, or device.

Exceptions include 'machine-generated,' 'machine learning,' and 'virtual machine.'

Products

ESA

Definition

A way of expressing a group of Host Access Table (HAT) parameters (an access rule, followed by rate limiting parameters and custom SMTP codes and responses) for a listener. Together, sender groups and mail flow policies are defined in a listener’s HAT. Your Cisco appliance ships with the predefined mail flow policies and sender groups for listeners.

Products

Any

Definition

Something that is known to be dangerous or harmful.

Usage

In some cases, used to describe the active unit when 2 units are operating in failover mode with each other. In this context, do not use 'master.' Instead, standardize terminology around 'active' or 'primary.'

However, in ASA VPN load balancing, do not use 'master' (and 'backup'). Instead, use 'director' (and 'member').

Products

Any

Definition

Message-digest algorithm that's a hash function widely used to produce a 128-bit hash value.

Usage

Do not use md5, Md5, md-5, Md-5, or MD-5.

Products

Any

Definition

Media-dependent interface.

Usage

Docs—Expand on first use.

Products

Any

Definition

Media-dependent interface crossover.

Usage

Docs—Expand on first use.

Products

REST API

Definition

Methods are the possible actions a user can perform on a REST API service. These include GET, PUT, POST, and DELETE.

Products

Any

Definition

The MITRE Corporation is a non-profit organization, founded in 1958, that provides engineering and technical guidance on advanced technology problems like cybersecurity for a safer world.

MITRE ATT&CK is a knowledge base of the methods that attackers use against enterprise systems, cloud apps, mobile devices, and industrial control systems. ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge, can help you understand how cyber attackers think and work.

See MITRE ATT&CK White Paper at Cisco.

Usage

Do not use generically. Instead, use when referring to the actual model number. For example, Firepower 2140 model.

Products

Hardware

Definition

A removable component in a chassis, such as a network module or security module.

Products

Software

Definition

A software module package that provides additional and complimentary functionality to the primary software on an appliance.

A software module is installed separately and licensed separately from the primary function of the device.

For example, the FirePOWER services module runs on an ASA and is installed and licensed separately from the ASA software.

Products

Firepower

Definition

A rule action that ensures logging of matching connections without affecting traffic flow. Monitored traffic is matched against additional rules, if present, to determine how the traffic is handled.

Usage

Examples: monitor rule, monitor action, monitor rule action

Products

ASA

Definition

This is a name given to a strategy which combines ASA objects to achieve an outcome.

Combines an access control list (ACL), class map, policy map, and service policy to provide a consistent and flexible way to configure ASA features. The ACL is applied to a class map. The class map defines a traffic matching condition. The class map is associated with a policy map which defines enforcement. The policy map is associated with an interface using a service policy. MPFs can be used to direct traffic to IPS inspection, application inspection, and define Quality of Service requirements for an application.

Usage

Docs—Expand on first use.

However, this is an antiquated and almost irrelevant ASA feature name. Do not use it in Firepower. Instead, describe a similar security approach using the actual terminology for the policies, rules, and objects used.

Products

Hardware

Definition

A secondary solid-state drive supplied by Cisco that you can install in certain devices to store captured files, which frees space on the device's primary hard drive for event and configuration storage.

Usage

Docs—Expand on first use.

Products

Umbrella

Definition

A third-party vendor that provides and manages internet services to a client.

Usage

Docs—Expand on first use.

Products

Umbrella

Definition

A third-party vendor that provides and manages security services to a client.

Usage

Docs—Expand on first use.

Products

ESA

Definition

The program responsible for accepting, routing, and delivering email messages. Upon receiving a message from a Mail User Agent or another MTA, the MTA stores a message temporarily locally, analyses the recipients, and routes it to another MTA. It may edit and/or add to the message headers.

Usage

Docs—Expand on first use.

Products

ESA

Definition

The program that lets the user compose and read email messages. The MUA provides the interface between the user and the Mail Transfer Agent. Outgoing mail is eventually handed over to an MTA for delivery.

Usage

Docs—Expand on first use.

Products

ASA, Firepower

Definition

A client-based or cloud-based application used to configure a device. A multi-device manager is not installed on the appliance or delivered with the device's software. This kind of manager can manage a single device type or multiple device types.

Adaptive Security Device Manager, Cisco Defense Orchestrator, Firepower Management Center, and Cisco Security Manager are examples of multi-device managers.

See also 'remote device manager.'

Usage

Do not use 'off-box manager' in place of 'multi-device manager.'

Products

Any

Definition

Strengthens access security by requiring two or more different methods (also referred to as factors) to verify your identity. These factors can include something you know (username and password), something you are (fingerprint), or something you have (secondary trusted device like a smartphone app or token to approve authentication requests).

Two-factor authentication (2FA) is a subset of MFA.

Usage

Docs—Expand on first use. Thereafter, can be shortened to MFA.

Products

Any

Definition

Substituting an IP address in the header of a packet for another IP address so that the packet can be routed from one network to another. One of the main functions of NAT is to enable private IP networks to connect to the internet with a translated, public IP address.

Usage

Docs—Expand on first use.

GUI—Use 'NAT.'

Products

Hardware, Software

Definition

Network Equipment Building System (NEBS) compliance refers to the conformance of a network product to the requirements of the NEBS standard. Compliance to this standard indicates that a network product or a telecommunications equipment performs at its optimum capacity.

Usage

Docs—Expand on first use.

Products

Stealthwatch Cloud, Stealthwatch Enterprise, Security Online Visibility Assessment, Firepower

Definition

An embedded instrumentation within Cisco IOS Software to characterize network operation. By analyzing the data provided by NetFlow, you can determine things such as the source and destination of traffic, class of service, and the causes of congestion.

Usage

Use camel case: NetFlow

Products

Threat Grid

Definition

Similar in concept to VPN, the Network Exit Localization setting makes any outgoing network traffic that is generated during the analysis to appear to exit from that location. Users may select a different location from the default while submitting samples for analysis, whether from the dropdown list on the Submit Sample modal, or by API.

Products

ASA, Firepower

Definition

Means different things to different people. For example, some people consider an ASA with FirePOWER Services to be an NGFW. Other people consider only a Firepower Threat Defense (FTD) device to be an NGFW.

The FTD device can be managed by command-line interface, Firepower Device Manager (FDM), Firepower Management Center (FMC), or Cisco Defense Orchestrator. Sometimes, FDM and FMC are confused with next-generation firewalls. These managers are not next-generation firewalls. They're user interfaces to manage traditional firewalls, next-generation firewalls, and even other device types.

'NGFW' is used extensively by Marketing and is the official product name in the Cisco.com product path.

Usage

Avoid using 'NGFW' whenever possible. Instead, use the specific product name. For example:

Firepower Threat Defense device

ASA with FirePOWER Services module

Mentioning ONCE that your particular device is a next-generation firewall (NGFW) is acceptable if it helps the customer find that wording when they search for it.

For a complete list of acceptable terms, see Customer-Facing Names for Firepower System Appliances.

If you're spelling out 'NGFW,' spell out the whole term. Do not use 'Next-Gen' or other variants.

Do not use as a synonym for access control.

Products

Firepower

Definition

Firepower software that runs on older/legacy Firepower devices (7000 series, 8000 Series, NGIPSv).

Usage

Docs—Expand on first use.

Use as an adjective to modify a device or the software running on it: NGIPS device, NGIPS software. With the exception of NGIPSv, do not use as a noun.

Do not use as a synonym for access control.

Products

Umbrella

Definition

Classifier that leverages natural language processing (NLP) techniques to detect cyber-squatting and targeted phishing domains.

Usage

Use camel case: NLPRank

Products

Any

Definition

A node is any device within a connected network of other devices that’s able to send, receive, and/or forward information.

The computer is the most the common node and is often called the computer node or internet node. Modems, switches, hubs, bridges, servers, and printers are also nodes, as are other devices that connect over WiFi or Ethernet.

Nodes within a computer network must have some form of identification, like an IP address, MAC address, or Data Link Control (DLC) address for it to be recognized by other network devices. A node without this information, or one that has been taken offline, no longer functions as a node.

Usage

For example, in Threat Grid Appliance, a node is a member of an appliance cluster.

Products

Hardware

Usage

Expand on first use to differentiate from other uses.

Products

Any

Definition

Networking protocol for clock synchronization. For example, the ntpconfig command configures IronPort AsyncOS to use NTP to synchronize the system clock with other computers.

Usage

Docs—Expand on first use.

Products

REST API

Definition

An individual instance of a service.

Products

REST API

Definition

The list of data which a service may contain.

Products

Cognitive, Threat Grid, Threat Response

Definition

A single, atomic identifier, in the form of a discreet string, that can be recognized and communicated by sensors; such as IP address, domain, file hash, email, MAC address, file name, sensor-specific GUID, and web request. See also 'observation.'

For example, the first thing that Threat Response does with an observable is determine its disposition, by aggregating what we know about that observable from the various enrichment modules we have configured. The disposition tells us whether the observable is clean, malicious, suspicious, unknown, and so on. Once we have a disposition for an observable, we begin to enrich it, gathering information about it from enrichment sources such as AMP and the Cisco Threat Intelligence API. Unknown observables are not enriched. See also 'disposition.'

Products

Stealthwatch Cloud

Definition

A fact about your traffic, such as endpoints making connections they have not made before. Observations are not necessarily suspicious.

See also 'observable.'

Usage

Do not use. Instead, see 'remote device manager' and 'multi-device manager.'

Products

Hardware

Definition

Lets you add, replace, or remove components. OIR requires performing Cisco IOS commands before and after the OIR.

Usage

Docs—Expand on first use.

Do not confuse with 'hot swap' or 'hot plug.'

Usage

Do not use. Instead, see 'local device manager.'

Products

Any

Definition

Software that runs on computers within an organization. Contrast with cloud software.

Usage

Can be abbreviated as 'on-prem.'

Docs—Expand on first use.

'On premise' is incorrect. Do not leave off the 's.'

Whether you include a hyphen depends on how 'on premises' is being used. If it’s being used as a compound adjective before a noun, we can hyphenate it as 'on-premises.' Otherwise, the hyphen is not needed.

Products

Umbrella

Definition

The original company name of Cisco Umbrella. Still used for the public free offering of Umbrella.

Usage

Use 'Umbrella' instead of 'OpenDNS.'

Products

Umbrella

Definition

Software that ensures that Umbrella preferences are preserved whenever IP addresses change.

Products

ESA

Definition

An open relay (sometimes called an 'insecure relay' or a 'third-party relay') is an SMTP email server that allows unchecked third-party relay of email messages. By processing email that is neither for nor from a local user, an open relay makes it possible for unknown senders to route large volumes of email (typically spam) through your gateway.

Usage

Use in its singular form only.

Products

AMP, Threat Grid, Threat Response

Definition

Near real-time endpoint search and forensic snapshot service. Uses osquery.io schema for SQL queries. Currently a beta service installed by AMP for Endpoints Windows Connector.

Usage

The official name for this service being offered with AMP is Cisco Orbital. Thereafter, can be shortened to Orbital, but do not use OAS.

The AMP Console may still refer to it as Orbital Advanced Search, but this should be updated in the future.

Products

Threat Grid

Definition

An entity created within Threat Grid that is used to group users according to how the privacy and visibility rules are to be applied. Only users within the same organization can see samples that have been designated as private. A Threat Grid organization on the cloud can only be created by Threat Grid staff. Organizations can only be created on a Threat Grid appliance by an admin user.

Usage

Threat Grid-specific use of 'organization.'

Products

Umbrella

Definition

Generally, a term used in conjunction with service provider console. An organization is the term used to describe a customer.

Usage

Can be organization or org.

Most commonly used with 'Multi-Org console' instead of 'customer.'

Products

ASA

Definition

Outbound rules apply to traffic as it exits an interface. An outbound ACL is useful, for example, if you want to allow only certain hosts on the inside networks to access a web server on the outside network. Rather than creating multiple inbound ACLs to restrict access, you can create a single outbound ACL that allows only the specified hosts. The outbound ACL prevents any other hosts from reaching the outside network.

This term does not refer to a higher security to lower security interface, commonly known as outbound.

This term does not apply to Firepower firewalls: All access control rules in Firepower are modeled as global rules in the data plane. Global rules are always inbound.

Products

ESA

Definition

IronPort’s Outbreak Filters feature provides an additional layer of protection from viruses. The Outbreak Filters feature quarantines suspicious email messages, holding the messages until an updated virus IDE is available, or until they are deemed not a threat.

Usage

Use the plural form only.

Products

ASA, Firepower, Hardware

Definition

The first interface, usually port 0, that connects to other "untrusted" networks outside the appliance.

Products

ISE

Definition

See PAP (Policy Administration Point). Policy administration node is the Cisco term for this function.

Usage

Docs—Expand on first use. Lower case.

Products

ESA, SMA

Definition

An authentication protocol for communicating with the RADIUS server for configuring external authentication or two-factor authentication on the appliance.

Usage

Docs—Expand on first use. Lower case.

Products

ASA, Cisco TrustSec

Definition

Defines and inserts policies into the authorization system. Also acts as an identity repository by providing Cisco TrustSec tag-to-user identity mapping and Cisco TrustSec tag-to-server resource mapping.

Policy administration point is the industry standard term for this function.

In the Cisco TrustSec solution, the Cisco Identity Services Engine (ISE) acts as the PAP. However, ISE diverged from industry standard terms: they call their PAP a policy administration node (PAN).

Usage

Docs—Expand on first use. Lower case.

Products

REST API

Definition

A variable added to a REST API request which provides information for executing the method on the service. This can be as simple as the UUID of the specific resource being deleted or include the entire model when creating an object.

Products

CDO

Definition

Used in the context of CDO and serial number onboarding: A device is 'parked' if it has connected to the Cisco Cloud and its serial number has not been claimed by a CDO tenant.

Products

Umbrella

Definition

Console used to create and start trials of Cisco Umbrella.

Usage

Cisco Umbrella for Partners console, never PPoV.

Products

ASA, Firepower, Hardware

Definition

A sensing interface configured to analyze traffic in a passive deployment.

Products

WSA

Definition

Allow encrypted traffic to pass without decryption or further checks.

Usage

Avoid, except in legacy products and documentation.

See also 'allow,' 'trust,' and 'do not decrypt.'

Products

Any

Definition

PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used.

Each connection requires a separate translation because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.

Usage

Docs—Expand on first use.

GUI—Use 'PAT.'

Products

Any

Definition

A minor upgrade that includes a limited range of fixes.

Usage

Use as a noun or verb.

Products

ASA

Definition

Traditional routing is destination-based, meaning packets are routed based on destination IP address. However, it's difficult to change the routing of specific traffic in a destination-based routing system. With PBR, you can define routing based on criteria other than destination network. PBR lets you route traffic based on source address, source port, destination address, destination port, protocol, or a combination of these. PBR is defined by access lists and route maps. PBR is available in routed mode only.

Usage

Docs—Expand on first use.

Products

Any

Definition

Devices that communicate with each other without having to go through a server, such as sharing files over a peer-to-peer network.

Usage

Do not abbreviate. Always spell out.

Such as peer-to-peer or point-to-point. Do not use 'P2P.'

Products

Stealthwatch

Definition

A host that was previously unknown to the Stealthwatch Flow Collector and that was sent a data packet, but did not respond within 10 seconds. A large number of phantom hosts can be an indication of network scanning.

Products

Umbrella

Definition

The first and most successful collaborative clearinghouse for data and information about phishing on the internet. PhishTank is based on the idea that security researchers, exploited brands, technology developers, academic institutions and internet users are stronger together in fighting phishing than they are on their own.

Usage

Use camel case: PhishTank

Products

Hardware

Definition

The orderable product identifier that is 1 of the 3 parts of the UDI. The UDI is part of the PEP policy.

Usage

Docs—Expand on first use. Lower case.

Products

Hardware

Definition

Refers to a series of hardware models.

Usage

Do not use generically. For example, to refer to all of the Kentons or Queen's Park.

Products

Threat Grid

Usage

See 'user emulation playbook.'

Products

Any

Definition

A mechanism for grouping and applying rules or settings.

For more information, see the Policy archetype.

Usage

Unless context is absolutely clear, use the full name of the policy: access control policy, intrusion policy, NAT policy, and so on.

Do not capitalize or abbreviate the name of the policy, except as a page title, field label, or other GUI element where you are required to capitalize the name. For example, it is 'access control policy,' not 'Access Control Policy' or 'AC Policy.'

Products

Stealthwatch Enterprise

Definition

A set of rules that you can apply to entities within your network that monitors and can alert on behavior.

Products

Umbrella

Definition

Access to content rules and controls that determine how an Identity is protected by Umbrella. Created through the Policy wizard.

Products

ESA

Definition

Defines the frequency of fetching threat feeds from a TAXII server.

Products

ESA

Definition

The part of the URL that identifies the polling service in the TAXII server. For example, '/taxii-data.'

Products

Umbrella

Definition

A ranking score based on the number of distinct origin IP addresses that have visited a domain name. This is a Bayesian average, similar to reputation scores.

Products

Hardware

Definition

Set of hardware diagnostics that runs on a hardware device when that device is powered on.

Usage

Do not expand.

Products

Umbrella

Definition

Partner Proof of Value and Partner console.

Usage

Do not abbreviate. Always spell out. Do not use PPoV acronym.

Products

Any

Definition

Provides a method of IKE authentication that is suitable for networks with a limited, static number of IPsec peers. This method is limited in scalability because the preshared key must be configured for each pair of IPsec peers. When a new IPsec peer is added to the network, the preshared key must be configured for every IPsec peer with which it communicates. Using certificates and CAs provides a more scalable method of IKE authentication.

Usage

Use 'PSK' only in field labels or other GUI elements where space is an issue, and in documentation describing those GUI elements. Otherwise, spell out 'preshared key.'

Products

Threat Grid

Definition

A privacy setting that controls access to sample analysis results. Samples designated as private are only available to members of the same organization as the submitting user or integration. Users who belong to a different organization than the submitting user have no access to the the analysis results.

Products

Any

Definition

A cryptographic key known only to the owner of the paired public key certificate. The public key and private key are used for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) encryption and decryption.

Products

ASA

Definition

Privileged EXEC mode lets you change current settings. Any user EXEC mode command works in privileged EXEC mode.

Products

ASA

Definition

A passive interface for monitoring packets of the network segment. The sensing interface does not have an IP address assigned to it and is therefore invisible to attackers.

Products

CDO, FTD

Definition

Strictly speaking there are two sets of actions that occur at the beginning of the FTD setup:

• provisioning

  • accept EULA

  • create new password

• system initialization

  • configure management IP address (IP type, DHCP/static)

  • set FQDN

  • set DNS servers

  • choose to manage the device locally (with FDM)

However, to the user, all of this is initial provisioning. This definition is useful to differentiate a claiming error and a provisioning error in CDO.

Products

Cognitive, WSA

Definition

An application that is not malicious but may be considered to be unsuitable and undesirable for the business network.

Usage

Docs—Expand on first use.

Products

Threat Grid

Definition

A privacy setting that controls access to sample analysis results. Samples designated as public are available to all other users, regardless of which organization they belong to. (The one exception to this rule is for public samples submitted by integrations: integrations from a different organization will only have partial access to the analysis results.)

Products

Any

Definition

A public key is one of a pair of keys that is generated by devices involved in public key infrastructure (PKI). Data encrypted with a public key can only be decrypted using the associated private key. When a private key is used to produce a digital signature, the receiver can use the public key of the sender to verify that the message was signed by the sender. These characteristics of key pairs provide a scalable and secure method of authentication over an insecure media, such as the internet.

Products

WSA

Definition

Enables collaboration between components of the network infrastructure, including security-monitoring and network-detection systems, identity and access management platforms, and so on. These components can use pxGrid to exchange information through a publish/subscribe method.

Products

Hardware

Usage

Do not expand.

Products

ESA

Definition

Defines which recipients are accepted by a public listener. Specifies the address (which may be a partial address or hostname) and whether to accept or reject it. Optionally, you can include the SMTP response to the RCPT TO command for that recipient. The RAT typically contains your local domains.

Usage

Docs—Expand on first use.

Products

Threat Grid

Definition

A setting that controls the number of samples that may be submitted to Threat Grid for analysis by API within a particular timeframe. The sample rate limit is set in the Threat Grid license entitlements and maintained at the organization level. Additional rate limits within the organization can be further specified for greater control, including limits set on individual users and devices. A rate limit is set as [[N,minutes]], where N is the number of samples and minutes is the timeframe. For example, [[100,1440]] is 100 samples within 1440 minutes (24 hours). Multiple limits may be set for additional control. For example, [[100,1440],[50, 720]]. The rate limit timeframe begins when the first sample is submitted for analysis. Rate limits use a turnstile model: once the rate limit is reached for the timeframe specified, no more samples may be submitted until the timeframe has expired. Each sample expires one at a time. As each sample reaches the timeframe limit, it is cleared from the rate limit, and another sample may be submitted. Note that the rate limit order does not matter: the more restrictive limit is applied first.

Usage

Do not hyphenate.

Usually referred to in the plural: rate limits

And as a verb in the gerund form: rate limiting

Products

SMA

Definition

When an SMA becomes overloaded, it enters into the Resource Conservation Mode (RCM), and sends a critical system alert. This is designed to protect the appliance and allow it to process any backlog of messages.

Usage

Docs—Expand on first use.

Products

Any

Definition

A sequence of characters that defines a search pattern.

Usage

Use 'regex' only in field labels or other GUI elements where space is an issue, and in documentation describing those GUI elements. Otherwise, spell out 'regular expression.'

Products

ASA, Firepower

Definition

A client-based or cloud-based application used to configure a device. A remote device manager is not installed on the appliance or delivered with the device's software.

Adaptive Security Device Manager, Cisco Defense Orchestrator, Firepower Management Center, Cisco Security Manager, and a Meraki dashboard are examples of remote device managers.

See also 'multi-device manager.'

Usage

Do not use 'off-box manager' in place of 'remote device manager.'

Products

Any

Definition

Mechanism used to track all activities within an organization over time.

Products

ESA

Definition

A way of filtering suspicious senders based on their reputation. The SenderBase Reputation Service provides an accurate, flexible way for you to reject or throttle suspected spam based on the connecting IP address of the remote host.

Products

Cloudlock

Definition

An effect automatically triggered when a security incident is generated by a policy in which the response action is stored.

• Box: Quarantine User Files—Response action specific to the Box platform that places files that violate a policy in a quarantine state (as defined by Box).

• Delay Next—Response action that adds a delay between a set of response actions in a workflow. A use case can be delaying a response action that restricts sharing or changes file ownership to give the current document owner an opportunity to correct the policy violation.

• Incident Status Update—Response action that updates the status of an incident (for example, from New to Resolved) when previous response actions have automatically mitigated the policy violation.

• Send Admin Notification—Response action that sends an email to designated administrators informing them of a security incident generated by a DLP policy scanning content stored in a customer's cloud platform.

• Send User Notification—Response action that sends an email to the user account(s) owning files containing content that triggered a security incident generated by a DLP policy scanning content stored in a customer's cloud platform.

Usage

The term is the label of a control in the UI selected by an admin user.

Products

Any

Definition

Return to a previous state. In most cases, this action is a willful initiation and not the outcome of a failed process.

Usage

Contrast with 'rollback.'