First Published: March 5, 2025

Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center

Overview of Cisco Success Network

The Cisco Success Network is a cloud service that enables the management center to establish a secure connection to the Cisco cloud and stream usage information and statistics. Streaming this telemetry provides a mechanism to select data of interest from the threat defense and send it in a structured format to remote management stations for the following benefits:

  • To inform you of available unused features that can improve the effectiveness of the product in your network.

  • To inform you of additional technical support services and monitoring that are available for your product.

  • To help Cisco improve our products.


Note

  • Cisco Success Network is not supported in the evaluation mode.

  • Cisco Success Network feature is enabled by default.

  • The Cisco Success Network feature is disabled if the management center has a valid Smart Software Manager On-Prem (formerly known as Smart Software Satellite Server) configuration or uses the Specific License Reservation .

Enable Cisco Success Network

You must enable Cisco security cloud integration or register your management center with the smart license to before can enable Cisco Success Network enrollment on your management center.

In your management center web interface, click Integration > Cisco Security Cloud to view and change your current Cisco Success Network enrollment status.


Note

The Cisco Success Network feature is disabled if the Secure Firewall Management Center has a valid Smart Software Manager On-Prem (formerly known as Smart Software Satellite Server) configuration, or uses Specific License Reservation.

Enrolled Management Center Data

When you enroll the management center in Cisco Success Network, selected telemetry data about the enrolled management center is streamed to the Cisco cloud. The following table describes the collected and monitored data about the enrolled management center. The data includes feature-specific information about intrusion policies (both system-provided and custom) and malware detection for enrolled management center.

Table 1. Enrolled Management Center Telemetry Data
Data Point Example Value

Device Name

Management Center East

Device UUID

24fd0ccf-1464- 491f-a503- d241317bb327

Device Model

Cisco Secure Firewall Management Center for VMware

Serial Number

9AMDESQP6UN

System Uptime

99700000

Product Identifier

FS-VMW-SW-K9

Smart License PIID

24fd0ccf-1464- 491f-a503- d241317bb327

Virtual Account Identifier

CiscoSVStemp

Smart LicenseVirtual Account Name

FTD-ENG-SJC

Count of SSO is enabled.

1

Number of SSO users.

An integer value of 0 or greater.

SSO identity provider.

okta

Is Cisco Security Cloud integration enabled?

If enabled, the value 1 appears; otherwise, the value 0 appears.

0

Is Cisco AI Assistant feature enabled?

If enabled, the value 1 appears; otherwise, the value 0 appears.

0

Email address of the admin user, if provided.

admin@example.com

Management Center Virtual Data

The Cisco Success Network collects information about the management center virtual instances, which helps provide clarity about the cloud usage trends. The following table shows the metrics that are collected from a management center virtual instance.

Table 2. Management Center Virtual Telemetry Data

Data Point

Example Value

Type of the virtual instance

VM.Standard2.8

Cloud region

us-pheonix-3

Name of the cloud platform

Oracle Cloud

Software Version Data

Cisco Success Network collects software information that pertains to the enrolled management center device, including software version, rule update version, geolocation database version, and vulnerability database version information. The following table describes the collected and monitored software information about the enrolled device.

Table 3. Software Version Telemetry Data
Data Point Example Value

Management Center Software Version

{ type: "SOFTWARE", version: "x.x.x.x" }

Rule Update Version

{version: "2016-11-29-001-vrt", lastUpdated: 1468606837000 }

Vulnerability Database (VDB) Version

{version: "271", lastUpdated: 1468606837000 }

Geolocation Database Version

{version: "850" }

Change Management Workflow Data

Cisco Success Network collects information about the change management workflow configuration when this feature is enabled. The telemetry information includes the total number of tickets and the average number of tickets with various statuses, which helps Cisco analyze the usage of the change management workflow feature. The following table describes the collected and monitored information about the change management workflow.

Table 4. Change Management Workflow Telemetry Data

Data Point

Example Value

Is change management workflow enabled?

If enabled, the value 1 appears; otherwise, the value 0 appears.

1

Total number of approves.

If none are configured, value 0 appears.

2

The interval at which ticket purged, in days.

30

Is email to which the ticket need to be sent configured?

If enabled, the value 1 appears; otherwise, the value 0 appears.

1

Total number of tickets under the change management workflow.

An integer value of 0 or greater

Number of tickets with the following statuses for the day:

  • New

  • In Progress

  • Submitted

  • Approved

  • Rejected

  • On Hold

An integer value of 0 or greater

Managed Device Data

Cisco Success Network collects information about all the managed devices associated with an enrolled management center. The following table describes the collected and monitored information about managed devices. This includes feature-specific policy and licensing information, such as URL filtering, intrusion prevention, and malware detection for managed devices.

Table 5. Managed Device Telemetry Data
Data Point Example Value

Managed Device Name.

firepower

Managed Device Version.

6.2.3-10616

Managed Device Manager.

Management Center

Managed Device Model.

Cisco Firepower 2130 NGFW Appliance

Cisco Threat Defense VMware

Managed Device Serial Number.

9AMDESQP6UN

Managed Device PID.

FPR2130-NGFW-K9

NGFWv

Snort Engine.

SNORT3

Errors for localUrlCount plugin if failed to retrieve data.

"errors": [

"Ping DB trial no. 1 ",

"SF::SFDBI::ping",

"Ping returned 1",

"Can't call method \"getPayload\" on an undefined

value at /usr/local/sf/lib/perl/5.10.1/SF/CSMAgent.pm

line 1906.",

"",

"Printing stack trace:",

" called from /usr/local/sf/lib/perl/5.10.1/SF/CSMAgent.

pm (1906)",

" called from /usr/local/sf/lib/perl/5.10.1/SF/SSE/devices

_plug.pm (409)",

" called from /usr/local/sf/bin/devices_plug.pl (76)",

" called from /usr/local/sf/bin/devices_plug.pl (93)"

]

Is Device Connected to Manager?

True

Container Status (Standalone, cluster, or HA).

Cluster

Device on-boarding method

USING_SERIAL_NUMBER_VIA_Security Cloud Control

Is URL Filtering License Used for Device?

True

AC Rules with URL Filtering Per Device.

An integer value of 0 or greater.

Number of AC Rules with URL Filtering That Use URL Filtering License.

An integer value of 0 or greater.

Number of AC Rules with URL Filtering That Use Threat License.

An integer value of 0 or greater.

Is Threat License Used for Device?

True

Does AC Policy Have Intrusion Rule Attached?

True

Number of AC Rules with Intrusion Policies.

An integer value of 0 or greater.

Is Malware License Used for Device?

True

Number of AC Rules with Malware Policy.

An integer value of 0 or greater.

Number of AC Rules with Malware Policy That Use Malware License.

An integer value of 0 or greater.

Is Threat Intelligence Director (TID) Used for Device?

True

Number of Static Routes.

An integer value of 0 or greater.

VRF Count.

An integer value of 0 or greater.

Is remote deployment of HA on device attempted?

False

Is device certificate visible?

False

Is nsz value set on managed device?

False

Is ogs value set on managed device?

False

NS network count.

An integer value of 0 or greater.

Count of local URL items.

 
{"url": "/api/local/fmc_config/v1/domain/{domainUUID}/object/networks", "count": 10}, 
{"url": "/api/local/fmc_platform/v1/info/serverversion", "count": 2}

Cisco Success Network collects information about the mode of device deployment, device interface modes, and the types of interfaces. The following table shows the collected and monitored information about the device interfaces.

Table 6. Device Interface Telemetry Data

Data Point

Example Value

Number of interfaces in the following regular firewall modes:

  • Routed

  • Transparent

An integer value of 0 or greater.

Number of interfaces in the following IPS-only modes:

  • Inline

  • Tap

  • Passive or Encapsulated remote switched port analyzer (ERSPAN)

  • Inline sets

An integer value of 0 or greater.

Number of enabled device interfaces.

An integer value of 0 or greater.

Number of all types of interfaces as follows:

  • Bridge Virtual Interface (BVI)

  • Sub

  • Redundant

  • VXLAN Network Identifier (VNI)

  • VLAN

  • VTI

  • DVTI

  • Port channel

  • Switch port

An integer value of 0 or greater.

The following table shows all information regarding port scan settings.

Table 7. Port Scan Settings Telemetry Data

Data Point

Example Value

Detection on traffic

Allowed

ICMP host

50

Is ICMP host sweep enabled?

TRUE

ICMP interval

50

Inspection mode

Detection

IP host

50

IP interval

50

IP protocol

50

Is IP protocol scan enabled?

TRUE

Is IP protocol sweep enabled?

TRUE

Sensitivity type

Custom

Shun duration

50

TCP interval

100

TCP port

56

TCP port host

59

Is TCP port scan enabled?

TRUE

Is TCP port sweep enabled?

TRUE

UDP host

50

UDP interval

50

UDP port

50

Is UDP port scan enabled?

TRUE

Is UDP port sweep enabled?

TRUE

Cisco Success Network collects information about the threat defense upgrade process, upgrade failures, and the time taken for each upgrade script to run. Cisco uses this data to improve the upgrade process and enhance the customer upgrade experience. The following table shows the information collected regarding the threat defense upgrade.

Table 8. Upgrade Status Telemetry Data

Data Point

Example Value

Hot fixes applied

Cisco_FTD_SSP_FP3K_Hotfix_W-7.3.1.2-5.sh.REL.tar

Base version

7.4.0-10

Target version

7.4.0-38

Upgrade package file name

Cisco_FTD_Upgrade-7.4.0-38.sh.REL.tar

Upgrade type

major

Displays detailed status of the canceled upgrade such as status, start and end time, and elapsed time.

 
{
                  "status": "COMPLETED",
                  "message": "Device returned to previous version: 7.5.0-10.",
                  "startTime": "Tue, 07 Mar 2023 06:10:37 UTC",
                  "endTime": "Tue, 07 Mar 2023 06:10:40 UTC",
                  "elapsedTimeInSeconds": 3
              }

Detailed status of the upgrade, such as details of the failed script, start and end time, and elapsed time.

From management center, Version 7.6.0, the message field includes a complete log of the failed script. 

{
                  "status": "COMPLETED",
                  "message": "Installation completed successfully. Upgraded applications are started.",
                  "startTime": "Tue, 07 Mar 2023 06:08:45 UTC",
                  "endTime": "Tue, 07 Mar 2023 06:10:35 UTC",
                  "elapsedTimeInSeconds": 110,

Failed script

 "/ngfw/var/sf/upgrade-scripts/7.5.1/200_pre/001_check_reg.pl"

The execution time for individual scripts in the upgrade process.

From management center, Version 7.6.0, Cisco collects the script execution time for failed upgrades. 

{
                              "name": "000_start/000_00_run_cli_kick_start.sh",
                              "executionTime": 1
                          },

Action queue status.

When upgrading a threat defense device managed by the management center, the upgrade is triggered as an action queue task, and this field displays the action queue task status.

FAILED

Group type.

Specifies whether the threat defense device is a standalone device or a part of an HA or cluster deployment.

HA/standby ready

Patch history.

Specifies the threat defense device's upgrade path and helps in identification of issues or performance impact relating to the upgrade path.

7.6.0-10

Date and time of the successful readiness check.

Tue, 07 Mar 2023 06:06:04 UTC

Reboot time (in seconds) after upgrade.

An integer value of 0 or greater.

Disk space used in the ngfw/var/ partition during upgrade, in kilobytes.

 An integer value of 0 or greater.

Cisco Success Network collects information about migrating configurations from one threat defense model to an equivalent or higher-capacity model. The following table shows the information collected regarding threat defense device model migration.

Table 9. Threat Defense Model Migration Telemetry Data

Data Point

Example Value

Elapsed time.

6366

Errors.

An integer value of 0 or greater.

Is model migration completed?

True

Is the device reset?

False

Number of interfaces.

An integer value of 0 or greater.

Source device container status (Standalone, cluster, or HA).

Standalone

Model of the source device.

Cisco Firepower 2130 Threat Defense

UUID of the source device.

a8eee3f4-aa19-11ed-bda9-857788e8d45a

Is IP protocol scan enabled?

TRUE

Threat Defense version of the source device.

7.2.0

Target device container status (Standalone, cluster, or HA).

Standalone

Model of the target device.

Cisco Secure Firewall 3105 Threat Defense

Threat Defense version of the target device.

7.3.0

Threat Defense Virtual Data

Cisco Success Network collects information about the threat defense virtual instances that are associated with the management center. The data that is specific to the virtual instance helps to evaluate cloud usage patterns related to the cloud platform, cloud region, and network speed. The following table shows the metrics that are collected from the threat defense virtual instance.

Table 10. Threat Defense Virtual Telemetry Data

Data Point

Example Value

Number of network interfaces used.

An integer value of 0 or greater.

Name of hypervisor.

Oracle Cloud

Type of virtual instance.

VM.Standard2.8

Total bandwidth available for the network interfaces.

1000 Mbps

License tier.

FTDv50

Total memory that is allocated to the threat defense virtual instance.

120832 MB

Name of the network driver.

net_virtio

Cloud region.

us-pheonix-3

Number of virtual CPU cores allocated to the threat defense virtual instance.

An integer value of 0 or greater.

Policy Data

Cisco Success Network collects information about all the policies deployed on the threat defense managed by the management center. The following table describes the collected and monitored policy data.

Table 11. Policy-related Telemetry Data

Data Point

Example Value

Number of Access Policy devices assigned for Snort2.

An integer value of 0 or greater.

Number of Access Policy devices assigned for Snort3.

An integer value of 0 or greater.

Count of Access Policy custom IPS policy.

An integer value of 0 or greater.

Count of Access Policy custom NAP policy.

An integer value of 0 or greater.

Is IPS syslog is enabled?

False

Is syslog destination is override?

False

Parent Policy UUID.

4294967319

Policy UUID.

4294977323

Count of Access Policy system IPS policy.

An integer value of 0 or greater.

Count of Access Policy system NAP policy.

An integer value of 0 or greater.

Is the Umbrella DNS policy enabled for the device?

Enabled

Is the default or custom Umbrella DNS policy is configured for the device?

Custom

Number of migrated Snort3 intrusion policies.

An integer value of 0 or greater.

Count of policies failure.

An integer value of 0 or greater.

Number of reason of policies failure.

N/A

Count of policies partial failure.

An integer value of 0 or greater.

Number of reason of policies partial failure.

N/A

Count of policies success.

An integer value of 0 or greater.

Number of devices assigned for Snort2 IPS.

An integer value of 0 or greater.

Number of custom rules enabled.

An integer value of 0 or greater.

Number of dynamic rules configured.

An integer value of 0 or greater.

Is firepower recommendation used.

False

Is global threshold disabled.

False

Is global threshold updated.

False

Snort2 IPS Parent Policy UUID.

abba00a0-cf29-425c-9d75-49699aadc898

Snort2 IPS Policy UUID.

0e6aa778-69f2-11eb-8e9e-6475e0e0131b

Is sensitive data detection enabled.

False

Number of SNMP enabled rules.

An integer value of 0 or greater.

Number of suppression rules configured.

An integer value of 0 or greater.

Number of threshold rules configured.

An integer value of 0 or greater.

Number of Snort2 IPS custom rule with pass.

An integer value of 0 or greater.

Number of Snort2 IPS custom rule with replace.

An integer value of 0 or greater.

Number of Snort2 IPS custom rules.

An integer value of 0 or greater.

Number of Snort2 network analysis policy devices assigned.

An integer value of 0 or greater.

Number of Snort2 network analysis policy custom instances added.

N/A

Last modified time stamp.

2021-02-15 14:15:50

Snort2 network analysis Parent Policy UUID.

abba00a0-cf29-425c-9d75-49699aadc898

Snort2 network analysis Policy UUID.

e889a48c-6f96-11eb-969d-7075e0e0131b

Snort2 network analysis Policy user Disabled Inspectors.

dns

Snort2 network analysis Policy user Edited Inspectors.

dce_rpc

Snort2 network analysis Policy user Enabled Inspectors.

http_inspect, dce_rpc

Number of devices assigned for Snort3 IPS.

An integer value of 0 or greater.

Count of group of custom rule enabled.

An integer value of 0 or greater.

Count of group of custom rule excluded.

An integer value of 0 or greater.

Count of group of custom rule included.

An integer value of 0 or greater.

Number of Snort3 IPS rules override.

An integer value of 0 or greater.

Snort3 IPS Parent Policy UUID.

7003

Snort3 IPS Policy UUID.

4294973084

Snort3 IPS Policy excluded rule groups.

 
[{
    "containerRuleGroupUuid": "c4f4121b-d8e0-5086-9ae3-064062109492",
    "leafRuleGroupUuids": [
        "e15f11b4-a2fc-5e7a-9549-b6638972bdf5",
        "d0ae8e7a-d36d-52bc-b129-a320082fb4f5"
    ]
}]

Snort3 IPS Policy included rule groups.

 
[{
    "containerRuleGroupUuid": "c4f4121b-d8e0-5086-9ae3-064062109492",
    "leafRuleGroupUuids": [
        "e15f11b4-a2fc-5e7a-9549-b6638972bdf5",
        "d0ae8e7a-d36d-52bc-b129-a320082fb4f5"
    ]
}]

Snort3 IPS Policy overridden rule groups.

 
[{
    "containerRuleGroupUuid": "c4f4121b-d8e0-5086-9ae3-064062109492",
    "leafRuleGroupUuids": [
        "e15f11b4-a2fc-5e7a-9549-b6638972bdf5",
        "d0ae8e7a-d36d-52bc-b129-a320082fb4f5"
    ]
}]

Count of overridden rule groups.

An integer value of 0 or greater.

Number of groups of Snort3 IPS custom rule.

An integer value of 0 or greater.

Number of Snort3 IPS custom rule.

An integer value of 0 or greater.

Number of Snort3 IPS rules with suppression.

An integer value of 0 or greater.

Number of Snort3 IPS rules with threshold.

An integer value of 0 or greater.

Number of Snort3 network analysis policy devices assigned.

An integer value of 0 or greater.

Number of Snort3 network analysis policy custom instances added.

An integer value of 0 or greater.

Number of Snort3 network analysis policy default instances edited.

An integer value of 0 or greater.

Snort3 network analysis Parent Policy UUID.

7303

Snort3 network analysis Policy UUID.

4294978428

Snort3 network analysis policy user Disabled Inspectors.

N/A

Snort3 network analysis policy user Edited Inspectors.

N/A

Snort3 network analysis policy user Enabled Inspectors.

N/A

Number of SSL certificates in the Zero Trust Access policy.

An integer value of 0 or greater.

Number of zero-trust application groups.

An integer value of 0 or greater.

Number of zero-trust applications that uses file policy.

An integer value of 0 or greater.

Number of zero-trust applications that uses IPS policy

An integer value of 0 or greater.

Number of target devices for the Zero Trust Access policy.

An integer value of 0 or greater.

Identity provider URL.

www.okta.com

Number of interface objects configured in the Zero Trust Access policy.

An integer value of 0 or greater.

Total number of zero-trust enabled applications in the Zero Trust Access policy.

An integer value of 0 or greater.

Number of ungrouped applications in the Zero Trust Access policy.

An integer value of 0 or greater.

Managed Cluster Data

Cisco Success Network collects information about all the managed clusters that are associated with an enrolled management center. The following table describes the collected and monitored information about the managed clusters.

Table 12. Managed Cluster Telemetry Data

Data Point

Example Value

Cluster Model

Cisco Threat Defense for VMware

Cluster Name

 vFTDCluster

Cluster Size

3

Total Number of Managed Clusters

1

Deployment Information

After you configure your deployment, you must deploy the changes to the affected devices. The following table describes the collected and monitored data about configuration deployment, such as the number of devices affected and the status of deployments, including success and failure information.

Table 13. Deployment Information
Data Point Example Value

Job ID.

8589985199

Count of policy files of access policy.

An integer value of 0 or greater.

Count of policy identity of access policy.

Count of policy IPS of access policy.

Count of NS network of access policy.

Count of objects of access policy.

Count of policy SSL of access policy.

Count of UI AC rules of access policy.

Count of interfaces changed.

Count of objects changed.

Count of rules changed.

Container Type.

STANDALONE

Duration of CSM Snapshot.

1568

End Time of CSM Snapshot (in Unix Epoch format).

1637750908871

Start Time of CSM Snapshot (in Unix Epoch format).

1637750907303

Duration of DC Snapshot

24328

End Time of DC Snapshot (in Unix Epoch format).

1637750933923

Start Time of DC Snapshot (in Unix Epoch format).

1637750909595

Count of delta CLI

17

Phase 2 Time Generation of delta CLI

523

Total Time Generation of delta CLI

1040

Deployment End Time (in Unix Epoch format).

1637751003157

Deployment Start Time (in Unix Epoch format).

1637750906704

Deployment Status.

SUCCEEDED

Deployment Type.

NORMAL_DEPLOYMENT

Device Model.

Cisco Threat Defense for VMWare

Device OS Version.

Version "X.X.X"

Duration of device package.

5217

End Time of device package (in Unix Epoch format).

1637750942073

Start Time of device package (in Unix Epoch format).

1637750936856

Device UUID.

80e4ae98-4ceb-11ec-9593-90baf6bd6a9b

Duration of file downloaded from management center.

9699

End Time of file downloaded from management center (in Unix Epoch format).

1637750951798

Start Time of file downloaded from management center (in Unix Epoch format).

1637750942099

Count files size copied from active.

An integer value of 0 or greater.

Is deployment full?

True

Count of http status retries on active.

An integer value of 0 or greater.

Duration of LINA applied.

291

End Time of LINA applied (in Unix Epoch format).

1637751001327

Start Time of LINA applied (in Unix Epoch format).

1637751001036

Duration of LINA file copied.

0

End Time of LINA file copied.

0

Start Time of LINA file copied.

0

Page types.

[PIX_INTERFACE_NKP, *_SINGLE_NKP, PG.PLATFORM.PixInterface, PG.FIREWALL.PrefilterPolicy, PG.PLATFORM.NgfwInlineSetPage, PG.PLATFORM.AutomaticApplicationBypassPage, PG.TEMPLATE.TemplatePolicy, PG.PLATFORM.NgfwNetworkVirtualizationEndPoint, PG.PLATFORM.NgfwVirtualRouterPage, PG.PLATFORM.AsaBGPPage, PG.PLATFORM.PixDDnsPage, PG.PLATFORM.NgfwPolicyBasedRouteTablePage, PG.PLATFORM.PixStaticRouteTablePage, PG.PLATFORM.PixMBoundaryPage, PG.PLATFORM.AsaOSPFv3Page, PG.PLATFORM.PixIGMPPage, PG.PLATFORM.PixOSPFPage, PG.PLATFORM.NgfwECMPZonePage, PG.PLATFORM.PixDhcpdPage, PG.PLATFORM.PixPIMPage, PG.PLATFORM.F1IPv6StaticRouteTablePage, PG.PLATFORM.PixDhcpRelayPage, PG.PLATFORM.PixAsaEigrpPage, PG.PLATFORM.PixMroutePage, PG.PLATFORM.PixRipPix72Page, PG.FIREWALL.NGFWAccessControlPolicy, NetworkDiscovery, Snort3IntrusionPolicy, Snort3NetworkAnalysisPolicy, DNSPolicy]

Size of policy bundle.

141908

Count of CLI configuration running.

163

Count of time configuration running retrieval.

An integer value of 0 or greater.

Count of Snort export ARC.

An integer value of 0 or greater.

Count of Snort export Access Control.

An integer value of 0 or greater.

Count of Snort export advanced Access Control.

An integer value of 0 or greater.

Count of Snort export applications Access Control.

An integer value of 0 or greater.

Count of Snort export DNS policy Access Control.

An integer value of 0 or greater.

Count of Snort export File policy Access Control.

An integer value of 0 or greater.

Count of Snort export IP Reputation Access Control.

An integer value of 0 or greater.

Count of Snort export Identity policy Access Control.

An integer value of 0 or greater.

Count of Snort export Intelligent App Bypass Access Control.

An integer value of 0 or greater.

Count of Snort export Intrusion policy Access Control.

An integer value of 0 or greater.

Count of Snort export Lamp lighter policy of Access Control.

An integer value of 0 or greater.

Count of Snort export Network Analysis policy of Access Control

An integer value of 0 or greater.

Count of Snort export Network Discovery of Access Control.

An integer value of 0 or greater.

Count of Snort export prefilter policy of Access Control.

An integer value of 0 or greater.

Count of Snort export QOS policy as Access Control.

An integer value of 0 or greater.

Count of Snort export SSL policy Access Control.

An integer value of 0 or greater.

Count of Snort export Snort3 Intrusion policy of Access Control.

An integer value of 0 or greater.

Count of Snort export Variable set of Access Control.

An integer value of 0 or greater.

Count of Snort export Detectors of Access Control.

An integer value of 0 or greater.

Count of Snort export Beaker.

An integer value of 0 or greater.

Count of Snort export Geolocation.

An integer value of 0 or greater.

Count of Snort export LSP.

An integer value of 0 or greater.

Count of Snort export NGFW policy.

An integer value of 0 or greater.

Count of Snort export platform settings.

An integer value of 0 or greater.

Count of Snort export sensor clustering.

An integer value of 0 or greater.

Count of Snort export sensor policy.

An integer value of 0 or greater.

Count of Snort export snort.

An integer value of 0 or greater.

Count of Snort export state sharing.

An integer value of 0 or greater.

Duration of Snort preparation on active.

27218

End Time of Snort preparation on active.

1637750983442

Start Time of Snort preparation on active.

1637750956224

Status of Snort restart.

False

Duration of Snort signal on active.

17537

End Time of Snort signal on active (in Unix Epoch format).

1637751000981

Start Time of Snort signal on active (in Unix Epoch format).

1637750983444

TLS/SSL Inspection Event Data

By default, the Secure Firewall Threat Defense cannot inspect traffic encrypted with the Secure Socket Layer (SSL) protocol or its successor, the Transport Layer Security (TLS) protocol. TLS/SSL inspection enables you to either block encrypted traffic without inspecting it, or inspect encrypted or decrypted traffic with access control. The following tables describe statistics shared with Cisco Success Network about encrypted traffic.

Handshake Process

When the system detects a TLS/SSL handshake over a TCP connection, it determines whether it can decrypt the detected traffic. As the system handles encrypted sessions, it logs details about the traffic.

Table 14. TLS/SSL Inspection - Handshake Telemetry Data
Data Point Example Value

The system reports the following applied actions when the traffic cannot be decrypted and is:

  • Blocked.

  • Blocked with a TCP reset.

  • Not decrypted.

An integer value of 0 or greater.

The system reports the following applied actions when the traffic can be decrypted:

  • With a known private key.

  • With a replacement key only.

  • By resigning a self-signed certificate.

  • By resigning the server certificate.

An integer value of 0 or greater.

The number of SSL rules set to block encrypted traffic.

An integer value of 0 or greater.

The number of SSL rules set to block encrypted traffic and reset the connection.

An integer value of 0 or greater.

The number of SSL rules set to decrypt incoming traffic.

An integer value of 0 or greater.

The number of SSL rules set to decrypt outgoing traffic.

An integer value of 0 or greater.

The number of SSL rules set to not to decrypt encrypted traffic.

An integer value of 0 or greater.

The number of SSL rules set to log encrypted traffic.

An integer value of 0 or greater.

Is AC policy having intrusion?

False

The number of AC rules set with intrusion.

An integer value of 0 or greater.

Is Threat IntelligenceDirector (TID) enabled?

True

The number of AC rules that needed threat license to perform traffic intrusion detection and prevention.

An integer value of 0 or greater.

Is threat license used for traffic intrusion detection and prevention?

True

The number of AC rules set with URL Filtering.

An integer value of 0 or greater.

The number of AC rules need Threat License.

An integer value of 0 or greater.

The number of AC rules need URL License.

An integer value of 0 or greater.

Is threat license used for URL Filtering?

True

The number of actions set to handle SSL handshake message.

An integer value of 0 or greater.

Cache Data

After a TLS/SSL handshake completes, the managed device caches encrypted session data, which allows session resumption without requiring the full handshake. The managed device also caches server certificate data, which allows faster handshake processing in subsequent sessions.

Table 15. TLS/SSL Inspection - Cache Telemetry Data
Data Point Example Value

The system caches encrypted session data and server certificate data, and reports on the cache per SSL connections, specifically:

  • The number of times SSL session information was cached.

  • The number of times the SSL certificate validation cache was hit.

  • The number of times the SSL certificate validation cache lookup missed.

  • The number of times the SSL original certificate cache was hit.

  • The number of times the SSL original certificate cache lookup missed.

  • The number of times the SSL resigned certificate cache was hit.

  • The number of times the SSL resigned certificate cache lookup missed.

  • The number of times the client hello digest cache entries.

  • The number of times the client hello digest cache evicted.

  • The number of times the client hello digest cache was hit.

  • The number of times the client hello digest cache memory used.

  • The number of times the client hello digest cache miss.

  • The number of times the endpoint cert cache entries.

  • The number of times the endpoint cert cache memory used.

  • The number of times the external cert cache entries.

  • The number of times the external cert cache memory used.

  • Internal CA cache entries.

  • The number of times the internal CA cache memory used.

  • The number of times the object list cache entries.

  • The number of times the object list cache memory used.

  • The number of times the original cert cache entries.

  • The number of times the original cert cache entries memory used.

  • The number of times the original cert cache evicted.

  • The number of times the original cert cache was hit.

  • The number of times the original cert cache memory used.

  • The number of times the original cert cache miss.

  • The number of times the resigned cert cache entries.

  • The number of times the resigned cert cache entries memory used.

  • The number of times the resigned cert cache evicted.

  • The number of times the resigned cert cache was hit.

  • The number of times the resigned cert cache memory used.

  • The number of times the resigned cert cache miss.

  • The number of times the server name cache entries.

  • The number of times the server name cache evicted.

  • The number of times the server name cache was hit.

  • The number of times the server name cache memory used.

  • The number of times the server name cache miss.

  • The number of times the session ID cache entries.

  • The number of times the session ID cache evicted.

  • The number of times the session ID cache was hit.

  • The number of times the session ID cache memory used.

  • The number of times the session ID cache miss

  • The number of times the session ticket cache entries.

  • The number of times the session ticket cache evicted.

  • The number of times the session ticket cache was hit.

  • The number of times the session ticket cache memory used.

  • The number of times the session ticket cache miss.

  • The number of times the SSL caches total memory.

  • The number of times the SSL caches total memory used.

  • The number of times the URL retry cache entries.

  • The number of times the URL retry cache evicted.

  • The number of times the URL retry cache was hit.

  • The number of times the URL retry cache memory used.

  • The number of times the URL retry cache miss.

An integer value of 0 or greater.

Is SSL Usage enabled on the management center?

True

Certificate Status

The system evaluates encrypted traffic and reports the certificate status of the encrypting server.

Table 16. TLS/SSL Inspection - Certificate Status Telemetry Data
Data Point Example Value

The system evaluates encrypted traffic based on the certificate status of the encrypting server, and reports.

  • Number of connections where the SSL certificate is valid.

  • Number of connections where the SSL certificate is expired.

  • Number of connections where the SSL certificate has an invalid issuer.

  • Number of connections where the SSL certificate has an invalid signature.

  • Number of connections where the SSL certificate is not checked.

  • Number of connections where the SSL certificate is not yet valid.

  • Number of connections where the SSL certificate is revoked.

  • Number of connections where the SSL certificate is self-signed.

  • Number of connections where the SSL certificate is unknown.

An integer value of 0 or greater.

Failure Reason

The system evaluates encrypted traffic and reports the failure reason when the system fails to decrypt traffic.

Table 17. TLS/SSL Inspection - Failure Telemetry Data
Data Point Example Value

The system evaluates encrypted traffic and reports the failure reason when the system fails to decrypt traffic due to:

  • A decryption error.

  • Making a policy verdict during the handshake.

  • Making a policy verdict before the handshake.

  • Compression being negotiated.

  • An uncached session.

  • An interface in passive mode.

  • An unknown cipher suite.

  • An unsupported cipher suite.

An integer value of 0 or greater.

Version

The system evaluates encrypted traffic and reports the negotiated TLS/SSL version per connection.

Table 18. TLS/SSL Inspection - Version Telemetry Data
Data Point Example Value

The system evaluates encrypted traffic and reports the negotiated version per SSL connections where:

  • SSLv2 was negotiated.

  • SSLv3 was negotiated.

  • An unknown version was negotiated.

  • TLSv1.0 was negotiated.

  • TLSv1.1 was negotiated.

  • TLSv1.2 was negotiated.

  • TLSv1.3 was negotiated.

An integer value of 0 or greater.

Snort Restart Data

When the traffic inspection engine, referred to as the Snort process, on a managed device restarts, inspection is interrupted until the process resumes. Creating or deleting a user-defined application, or activating or deactivating a system or custom application detector, immediately restarts the Snort process without going through the deploy process. The system warns you that continuing restarts the Snort process and allows you to cancel. The restart occurs on any managed device in the current domain or in any of its child domains. The following table describes the collected and monitored data about the Snort restart.

Table 19. Snort Restart Telemetry Data
Data Point Example Value

Count of snort restarts when you enable or disable a custom application detector.

An integer value of 0 or greater

Count of snort restarts when you create or modify a custom application detector.

An integer value of 0 or greater

Snort3 Data

The following table describes the collected and monitored data about the Snort3 process. This includes session-specific information about packet performance monitoring about TCP/IP and other network protocols.

Table 20. Snort3 Telemetry Data
Data Point Example Value

Count of the number of sessions pruned due to a full cache or flow memory capacity was reached.

An integer value of 0 or greater.

Count of the number of sessions for which Snort did not see the start of the flow.

An integer value of 0 or greater.

Count of the number of sessions to detect the midstream.

An integer value of 0 or greater.

The system reports the following counts related to packet performance monitoring used to determine the basic level of latency:

  • The number of packets that exceeded the total detection time threshold.

  • The number of packets that exceeded the rule threshold.

  • The number of SSL packets timeout.

  • The total packets are monitored.

  • The total time spent in detection.

  • The maximum time that a packet spent in detection.

  • The number of rule trees that exceeded the rule threshold.

  • The total number of rules evaluated.

  • The number of rules that are re-enabled post suspension.

An integer value of 0 or greater.

The maximum number of TCP sessions.

An integer value of 0 or greater.

The maximum number of Elephant flows

An integer value of 0 or greater.

The number of TCP data bytes processed.

An integer value of 0 or greater.

The maximum number of UDP sessions.

An integer value of 0 or greater.

The number of UDP data bytes processed.

An integer value of 0 or greater.

The maximum number of IP sessions (non ICMP/UDP/TCP).

An integer value of 0 or greater.

The number of IP data bytes processed (non ICMP/UDP/TCP).

An integer value of 0 or greater.

The maximum number of FTP sessions.

An integer value of 0 or greater.

The number of FTP data bytes processed

An integer value of 0 or greater.

The maximum number of HTTP sessions.

An integer value of 0 or greater.

The maximum number of SMTP sessions.

An integer value of 0 or greater.

The number of SMTP data bytes processed.

An integer value of 0 or greater.

The maximum number of POP sessions.

An integer value of 0 or greater.

The number of POP data bytes processed

An integer value of 0 or greater.

The maximum number of SSH sessions.

An integer value of 0 or greater.

The number of SSH data bytes processed.

An integer value of 0 or greater.

The number of SSL packets processed.

An integer value of 0 or greater.

The number of SSL packets ignored.

An integer value of 0 or greater.

The number of SSL sessions ignored.

An integer value of 0 or greater.

The maximum number of SSL sessions.

An integer value of 0 or greater.

The maximum number of HTTP/2 sessions.

An integer value of 0 or greater.

The maximum number of HTTP/2 data bytes processed (total_bytes).

An integer value of 0 or greater.

The maximum number of HTTP data bytes processed (total_bytes).

An integer value of 0 or greater.

The data collection start time (in Unix Epoch format).

1711448925

The number of Snort clean exits list.

An integer value of 0 or greater.

The number of Snort unexpected exits list.

An integer value of 0 or greater.

Firepower recommendations used for Snort3 intrusion policy.

False

Are disabled rules accepted in the Snort3 intrusion policy recommendation settings.

False

Last time Snort3 intrusion policy recommendation settings are updated (in Unix Epoch format).

1625032449791

Count of recommendations for Snort3 intrusion policy.

12

Level of security recommended for Snort3 intrusion policy.

"LEVEL_2"

The following table describes Snort3 runtime XTLS traffic information.

Table 21. Snort3 Telemetry Data

Data Point

Example Value

Certificate dnd verdicts.

1

Certificate dr verdicts.

1

Certificate drk verdicts.

2

Certificate dkk verdicts.

3

Certificate dp verdicts.

4

The number of times the client hello definitive dnd entries.

5

Flow over subscriptions.

6

SSLv3 was negotiated.

7

TLSv1.0 was negotiated.

8

TLSv1.1 was negotiated.

9

TLSv1.2 was negotiated.

10

TLSv1.3 was negotiated.

11

TLSv1.3 flow decrypted.

12

esni was requested.

13

Count of XTLS flows created.

14

Count of SH sessions resumed.

15

Ciphers was negotiated.

{ "TLS_RSA_WITH_AES_128_CBC_SHA": 3},{ "TLS_RSA_WITH_AES_256_CBC_SHA": 1}

An unsupported cipher suite.

{"DHE-DSS-AES256-GCM-SHA384" }

Dropped ciphers.

{ }

Bad certificate.

{ "www.gmail.com": 4},{ "www.reddit.com": 3}

An unknown certificate.

{ "www.youtube.com": 4}

An unknown certificate authority.

{ "www.youtube.com": 4}

The following table describes Snort3 crash information.

Table 22. Snort3 Telemetry Data

Data Point

Example Value

The version of custom application detector.

An integer value of 0 or greater.

The packets trace of data acquisition library (DAQ).

An integer value of 0 or greater.

The data message of data acquisition library (DAQ).

An integer value of 0 or greater.

The header message of data acquisition library (DAQ).

An integer value of 0 or greater.

The type of data acquisition library (DAQ).

An integer value of 0 or greater.

IMS Build.

1403

IMS Version.

6.7.0

ISP Version.

lsp-dev-20200710-1754

Model.

Cisco Firepower 2120 Threat Defense

Model Number.

72

NAVL Version.

98

The process ID number (PID).

12368

Signal.

6

Snort Build.

4.116

Snort Version.

3.0.1

SSP Build

99.15.1.245

Time Stamp (in Unix Epoch format).

15991116699.963031

VDB Build.

336

VDB Version.

4.5.0

Zero Trust Access Statistics

LINA exports important Zero Trust Access telemetry data such as the number of active users, total number of applications, number of unsuccessful SAML requests or response, and the latency.

The following table describes the collected and monitored data about Zero Trust Access, that is exported by LINA.

Table 23. Zero Trust Access Telemetry Data Exported by LINA

Data Point

Example Value

Average number of zero-trust applications active in 24 hours.

2

Maximum number of zero-trust applications active in 24 hours.

3

Average number of zero-trust applications enabled in 24 hours.

2

Maximum number of zero-trust applications enabled in 24 hours.

4

Total number of zero-trust applications.

An integer value of 0 or greater.

Average authentication latency. The average latency is calculated as a cumulative average.

4

Maximum authentication latency.

5

Minimum authentication latency.

4

Average number of zero-trust authentications that are in progress in 24 hours.

An integer value of 0 or greater.

Maximum number of zero-trust authentications that are in progress in 24 hours.

An integer value of 0 or greater.

Total number of zero-trust authentications.

An integer value of 0 or greater.

Number of unsuccessful SAML authentication requests sent by the zero-trust enabled applications.

An integer value of 0 or greater.

Number of successful SAML authentication requests sent by the zero-trust enabled applications.

An integer value of 0 or greater.

Total number of SAML authentication requests sent by the zero-trust enabled applications.

An integer value of 0 or greater.

Number of unsuccessful SAML authentication responses that are sent by the zero-trust enabled applications.

An integer value of 0 or greater.

Number of successful SAML authentication responses that are sent by the zero-trust enabled applications.

An integer value of 0 or greater.

Total number of SAML authentication responses that are sent by the zero-trust enabled applications.

An integer value of 0 or greater.

Total data bytes received after authentication.

1420

Total data bytes sent after authentication.

2140

Average number of active users with a valid cookie in 24 hours.

5

Maximum number of active users with a valid cookie in 24 hours.

5

Total number of active users with a valid cookie.

An integer value of 0 or greater.

Number of unsuccessful zero-trust sessions.

An integer value of 0 or greater.

Number of successful zero-trust sessions.

An integer value of 0 or greater.

Total number of zero-trust sessions.

An integer value of 0 or greater.

Snort engine exports important Zero Trust Access telemetry statistics such as total number of HTTP flows received, total number of cookie or username messages received, cookie valid, and cookie invalid authorization failures.

The following table describes the collected and monitored data about Zero Trust Access that are exported by Snort.

Table 24. Zero Trust Access Telemetry Data Exported by Snort

Data Point

Example Value

Total number of zero-trust connections received which is the sum of the allowed flows and the blocked flows.

An integer value of 0 or greater.

Number of successfully authorized zero-trust connections.

An integer value of 0 or greater.

Total number of blocked zero-trust connections. This value is the sum of the all the connections blocked due to the following:

  • Invalid application.

  • Unsuccessful processing.

  • Unsuccessful connection authorization.

An integer value of 0 or greater.

Number of zero-trust connections for which the service is not set.

An integer value of 0 or greater.

Number of blocked connections due to unsuccessful processing.

An integer value of 0 or greater.

Number of blocked non-TLS connections.

An integer value of 0 or greater.

Number of blocked zero-trust connections due to SSL DND events.

An integer value of 0 or greater.

Number of blocked zero-trust connections due to SSL block events.

An integer value of 0 or greater.

Number of blocked zero-trust connections due to invalid session state.

An integer value of 0 or greater.

Number of blocked zero-trust connections due to unsuccessful authorization.

An integer value of 0 or greater.

Number of blocked zero-trust connections due to invalid domain.

An integer value of 0 or greater.

Number of zero-trust connections for which the authorization token is not available.

An integer value of 0 or greater.

Number of zero-trust connections for which the authorization token length is greater than the acceptable value.

An integer value of 0 or greater.

Number of zero-trust connections for which the authorization token is invalid.

An integer value of 0 or greater.

Number of zero-trust HTTP events received.

An integer value of 0 or greater.

Number of zero-trust events that are received with host URI length greater than the acceptable value.

An integer value of 0 or greater.

Total number of blocked zero-trust connections due to unsuccessful redirection.

An integer value of 0 or greater.

Number of zero-trust reload events.

An integer value of 0 or greater.

Total number of zero-trust messages received. This value is the sum of the following zero-trust messages:

  • Invalid connection.

  • Invalid data.

  • Token.

  • Username.

An integer value of 0 or greater.

Total number of zero-trust messages that do not associate with a connection.

An integer value of 0 or greater.

Total number of zero-trust messages that do not have message type shared by LINA to Snort.

An integer value of 0 or greater.

Number of zero-trust messages with type as cookie.

An integer value of 0 or greater.

Number of zero-trust messages with the type as username.

An integer value of 0 or greater.

Number of zero-trust messages with an unsupported message type. Note that Zero Trust Access supports only username and cookie message types.

An integer value of 0 or greater.

Encrypted Visibility Engine Statistics

Cisco Success Network collects encrypted visibility engine (EVE) telemetry across various threat and confidence levels and protocols. The following table describes the collected and monitored statistics about the encrypted visibility engine.

Table 25. Encrypted Visibility Engine Telemetry Data

Data Point

Example Value

Number of packets evaluated by EVE.

An integer value of 0 or greater.

Number of HTTP processes identified by EVE with very high confidence.

An integer value of 0 or greater.

Number TLS processes identified by EVE with very high confidence.

An integer value of 0 or greater.

Number of QUIC processes identified by EVE with very high confidence.

An integer value of 0 or greater.

Number of HTTP connections blocked by EVE with very high threat score.

An integer value of 0 or greater.

Number of TLS connections blocked by EVE with very high threat score.

An integer value of 0 or greater.

Number of QUIC connections blocked by EVE with very high threat score.

An integer value of 0 or greater.

Number of HTTP malwares identified by EVE with very high threat level.

An integer value of 0 or greater.

Number ofTLS malwares identified by EVE with very high threat level.

An integer value of 0 or greater.

Number of QUIC malwares identified by EVE with very high threat level.

An integer value of 0 or greater.

Number of HTTP processes identified by EVE with high confidence.

An integer value of 0 or greater.

Number of TLS processes identified by EVE with high confidence.

An integer value of 0 or greater.

Number of QUIC processes identified by EVE with high confidence.

An integer value of 0 or greater.

Number of HTTP connections blocked by EVE with high threat score.

An integer value of 0 or greater.

Number of TLS connections blocked by EVE with high threat score.

An integer value of 0 or greater.

Number of QUIC connections blocked by EVE with high threat score.

An integer value of 0 or greater.

Number of HTTP malwares identified by EVE with high threat level.

An integer value of 0 or greater.

Number of TLS malwares identified by EVE with high threat level.

An integer value of 0 or greater.

Number of QUIC malwares identified by EVE with high threat level.

An integer value of 0 or greater.

Number of HTTP processes identified by EVE with medium confidence.

An integer value of 0 or greater.

Number of TLS processes identified by EVE with medium confidence.

An integer value of 0 or greater.

Number of QUIC processes identified by EVE with medium confidence.

An integer value of 0 or greater.

Number of HTTP connections blocked by EVE with medium threat score.

An integer value of 0 or greater.

Number of TLS connections blocked by EVE with medium threat score.

An integer value of 0 or greater.

Number of QUIC connections blocked by EVE with medium threat score.

An integer value of 0 or greater.

Number of HTTP malwares Identified by EVE with medium threat level.

An integer value of 0 or greater.

Number of TLS malwares Identified by EVE with medium threat level

An integer value of 0 or greater.

Number of QUIC malwares identified by EVE with medium threat level.

An integer value of 0 or greater.

Total number of labeled finger prints for HTTP.

An integer value of 0 or greater.

Total number labeled finger prints for TLS.

An integer value of 0 or greater.

Total number of labeled finger prints for QUIC.

An integer value of 0 or greater.

Total number of unlabeled finger prints for HTTP.

An integer value of 0 or greater.

Total number of unlabeled finger prints for TLS.

An integer value of 0 or greater.

Total number of unlabeled finger prints for QUIC.

An integer value of 0 or greater.

Encrypted Visibility Engine Exception Rule Statistics

You can create an EVE exception rule to ensure the continuity of trusted connections and services by bypassing the EVE’s block action. You can add attributes such as process names and destination IP address to the exception rule. The following table describes the collected and monitored EVE exception rule statistics telemetry data.

Table 26. EVE Exception Rule Statistics Telemetry Data

Data Point

Example Value
Number of EVE exception rules containing only destination IP address.

An integer value of 0 or greater.

Count of EVE exception rules containing only destination FQDN.

An integer value of 0 or greater.
Count of EVE exception rules containing only destination dynamic attributes.

An integer value of 0 or greater.

Number of EVE exception rules containing only EVE process name.

An integer value of 0 or greater.

Number of EVE exception rules containing only destination context.

An integer value of 0 or greater.

Number of EVE exception rules containing both destination context and EVE process name.

An integer value of 0 or greater.

Count of EVE exception rules containing only source context.

An integer value of 0 or greater.

Number of EVE exception rules containing both source context and EVE process name.

An integer value of 0 or greater.

Total number of EVE exception rules defined.

An integer value of 0 or greater.

Contextual Cross-Launch Data

The contextual cross-launch feature allows you to quickly find more information about potential threats in web-based resources outside of the management center. You can click directly from an event in the event viewer or dashboard in the management center to the relevant information in an external resource. This lets you quickly gather context around a specific event based on its IP addresses, ports, protocol, domain, and/or SHA 256 hash.

Table 27. Contextual Cross-Launch Telemetry Data

Data Point

Example Value

The count of the Contextual Cross-Launch resources configured on the management center.

An integer value of 0 or greater.

The count of the Contextual Cross-Launch resources enabled on the management center.

An integer value of 0 or greater.

The count of Contextual Cross-Launch instances containing a domain variable.

An integer value of 0 or greater.

The count of Contextual Cross-Launch instances containing an IP variable.

An integer value of 0 or greater.

The count of Contextual Cross-Launch instances containing a SHA 256 variable.

An integer value of 0 or greater.

The count of the Secure Network Analytics Configuration resources enabled on the management center.

An integer value of 0 or greater.

The count of the Secure Network Analytics configuration that has Log Host.

An integer value of 0 or greater.

The count of the Secure Network Analytics configuration of the store events on management center.

An integer value of 0 or greater.

The type of setup used in Security Analytics and Logging integration wizard is One Box.

An integer value of 0 or greater.

Count of users using the Light theme.

An integer value of 0 or greater.

Event Summary

Intrusion policy and Malware & File policy generate events for matched traffic and logs the captured attack information. The following table describes the statistics that are shared with Cisco Success Network about the intrusion, file, and malware events.

Table 28. Event Summary Telemetry

Data point

Example Value

The system reports the following intrusion event data for the last 24 hours:

  • Intrusion events with the following applied actions:

    • Blocked

    • Partially blocked

    • Would block

    • Drop

    • Dropped

    • Partially dropped

    • Would drop

    • Would have dropped

    • Alert

    • React

    • Would react

    • Reject

    • Would Reject

    • Rewrite

    • Would Rewrite

  • Total number of intrusion events.

An integer value of 0 or higher.

The system reports the following malware event data for the last 24 hours:

  • Number of malware events blocked.

  • Total number of malware events.

  • Total number of file events.

An integer value of 0 or higher.

Total number of network discovery hosts.

An integer value of 0 or higher.

Cloud Event Configuration

Cisco Success Network collects information about various type of events that the management center send to the Cisco cloud. The following table describes the collected and monitored statistics about the cloud event configuration.

Table 29. Cloud Event Configuration

Data point

Example Value

Number of devices excluded from sending events to Cisco cloud.

An integer value of 0 or higher.

Is the management center configured to send events to Cisco cloud?

False

Is the management center configured to send security-related connection events?

False

Is management center configured to send all connection events?

False

Is management center configured to send discovery events?

False

Is management center configured to send file and malware events?

False

Is management center configured to send intrusion events?

False

Is sending intrusion packet to Cisco cloud enabled?

False

Report Usage Data

To learn how the management center's report capabilities are being used, Cisco Success Network collects various report usage statistics, including the number of custom report templates, the number of scheduled report tasks, the frequency of report generation, and more. The following table shows the data that is collected about report usage.

Table 30. Report Usage Telemetry Data

Data Point

Example Value

Number of generated reports available on the management center's Reports (Overview > Reports) page.

An integer of 0 or greater.

Number of custom report templates created.

An integer of 0 or greater.

Number of report templates that use user-defined saved searches.

An integer of 0 or greater.

Number of scheduled report tasks in the management center's Scheduling (System > Scheduling) page.

An integer of 0 or greater.

Number of user-defined saved searches.

An integer of 0 or greater.

Total number of saved searches, including both predefined and user-defined saved searches.

An integer of 0 or greater.

VPN Data

The following table describes the data shared with Cisco Success Network about the various certificate objects enrolled to the threat defense device.

Table 31. Certificate Objects Telemetry Data

Data Point

Example Value

Certificate enrollment of EST objects.

An integer value of 0 or greater.

Certificate enrollment of manual objects.

Certificate enrollment of PKCS12 objects.

Certificate enrollment of SCEP objects.

Certificate enrollment of self-signed objects.

Certificate enrollments.

Count of device with certificate enrollments.

The following table describes the data shared with Cisco Success Network about the remote access VPN policies configured in the threat defense devices, including the number of connection profiles and dynamic access policies.

Table 32. Remote Access VPN Telemetry Data

Data Point

Example Value

Number of connection profiles with LOCAL realm configured as fallback to primary or secondary authentication server.

An integer value of 0 or greater.

Number of connection profiles with LOCAL realm configured as primary or secondary authentication server.

Number of connection profiles with RADIUS Server configured as authentication, authorization, or accounting server.

Number of connection profiles with Realm configured as authentication or authorization server.

Number of connection profiles with SAML SSO configured as authentication server.

Number of connection profiles with WebAuthN enabled.

Number of devices enabled with VPN load balancing.

Number of dynamic access policies.

Number of dynamic access policy records.

Total number of remote access VPN connection profiles.

Number of remote access VPN policies.

Number of remote access VPN policies with IPsec-IKEv2 enabled.

Number of remote access VPN policies with SSL enabled.

Number of devices configured with remote access VPN.

Number of remote access VPN policies with service access object configured

The following table describes the data shared with Cisco Success Network about different sit-to-site VPN topology configurations in the threat defense device.

Table 33. Site-to-Site VPN Telemetry Data

Data Point

Example Value

Devices configured with site-to-site VPN.

An integer value of 0 or greater.

Number of site-to-site IKEv1 VPN with certificate authentication.

Number of site-to-site IKEv2 VPN with certificate authentication.

Number of site-to-site VPN extranet endpoints.

Number of site-to-site VPN full mesh topologies.

Number of site-to-site VPN hub and spoke topologies.

Number of site-to-site VPN IKEv1 topologies.

Number of site-to-site VPN IKEv2 topologies.

Number of site-to-site VPN point to point topologies.

Number of site-to-site VPN VTI topologies.

The following table describes the data shared with Cisco Success Network about different SD-WAN VPN topology configurations in the threat defense device.

Table 34. SD-WAN VPN Telemetry Data

Data Point

Example Value

Total number of SD-WAN VPN topologies configured.

An integer value of 0 or greater.

Number of unique devices configured as hubs in SD-WAN topology.

Number of unique devices configured as spoke in the SD-WAN topology.

Number of spoke devices with dual ISP configuration.

Number of dual-hub SD-WAN VPN topologies configured with different AS number.

Number of SD-WAN VPN topologies with BGP overlay routing automation enabled.

Number of SD-WAN VPN topologies with BGP overlay routing automation disabled.

Number of SD-WAN VPN topologies with redistribution of BGP connected interfaces enabled.

Number of SD-WAN VPN topologies with redistribution of BGP connected interfaces disabled.

Maria DB Data

Management center uses MariaDB to store configuration data. The following table describes the collected and monitored information about the MariaDB database.

Data Point

Example Value

Maria Db CPU status.

[{ "timestamp" : "123124312", "value" : "1%" }, { "timestamp" : "123124312", "value" : "2%" }, { "timestamp" : "123124312", "value" : "24%" }]

Maria Db memory status.

[{ "timestamp" : "123124312", "value" : "1gb" }, { "timestamp" : "123124312", "value" : "2gb" }, { "timestamp" : "123124312", "value" : "24gb" }]

Count of Db connection.

[{ "timestamp" : "123124312", "value" : 1 }, { "timestamp" : "123124312", "value" : 2 }, { "timestamp" : "123124312", "value" : 24 }]

Size of Db file system.

[{ "location" : "/var/lib/mysql/cfgdb/", "value" : "1gb" }, { "location" : "/var/lib/mysql/sfsnort/", "value" : "2gb" }, { "location" : "/var/lib/mysql/", "value" : "24gb" }]

Size of Db binlog.

"20gb"

Size of Db.

{ "cfgdb" : "5gb", "sfsnort" : "5gb", "Total_Db_size": "25gb" }

Size of Db index.

{ "cfgdb" : "5gb", "sfsnort" : "5gb", "Total_Db_size": "25gb" }

Top ten table by size.

{ "cfgdb": [ { "table_name" : "<tb1>", "row_count" : 4990, "size" : "500mb" }, { "table_name" : "<tb2>", "row_count" : 4990, "size" : "500mb" } ],

"sfsnort": [ { "table_name" : "<tb1>", "row_count" : 4990, "size" : "500mb" }, { "table_name" : "<tb2>", "row_count" : 4990, "size" : "500mb" } ] }

The system captures the slow query of data from EM peers:

Query.

SELECT * from EM_peers

Query time.

2.37s (4s)

Count of executed queries.

An integer value of 0 or greater.

Count of rows examined.

An integer value of 0 or greater.

Count of rows affected.

An integer value of 0 or greater.

The system captures the slow query of data from sensors:

Query.

SELECT * from sensors

Query time.

2.37s (4s)

Count of executed queries.

An integer value of 0 or greater.

Count of rows examined.

An integer value of 0 or greater.

Count of rows affected.

An integer value of 0 or greater.

Global status of CLI.

"STRING"

Health Monitoring

The health monitor on the management center tracks variety of health indicators to ensure that the hardware and software in your firewall system works correctly. The following table describes the health monitoring status of management center and threat defense.

Table 35. Health Monitoring Telemetry Data

Data Point

Example Value

The system reports the following health status of management center:

  • Maximum number of custom dashboards created by a single user.

  • Number of users created a dashboard.

An integer value of 0 or greater

The system reports the following health status of threat defense:

  • Maximum number of custom dashboards created by a single user.

  • Number of users created a dashboard.

An integer value of 0 or greater

Identity Usage

User identity information can help you to identify the source of policy breaches, attacks, or network vulnerabilities, and trace them to specific users. The following table describes the information that is shared with Cisco Success Network about identity usage of policies.

Table 36. Identity Usage Telemetry Data

Data Point

Example Value

The system reports the following identity usage of access control policy:

  • Number of access rules.

  • Number of access policies.

  • Number of unique realm references.

  • Number of unique user group references.

  • Number of unique user references.

  • Number of rules with ABP.

  • Number of rules with Security Group Tag (SGT).

  • Number of rules with user group reference.

  • Number of rules with user reference.

An integer value of 0 or greater

The system reports the following identity usage of identity policy status:

  • Number of active rules.

  • Number of identity policies.

  • Number of auth rules.

  • Number of unique realm sequences.

  • Number of unique realms.

  • Number of passive rules.

An integer value of 0 or greater

The system reports the following identity usage of identity source status:

  • Number of IS configured.

  • Number of SGT Exchange Protocols (SXP) enabled.

  • Number of directory sessions enabled.

An integer value of 0 or greater

The system reports the following identity usage of realm status:

  • Number of AD realms.

  • Number of LDAP directories.

  • Number of LDAP realms.

  • Number of LDAP directories.

  • Number of local realms.

  • Number of realm sequences.

An integer value of 0 or greater

The system reports the following identity usage of proxy:

  • Number of realms with proxy.

  • Number of devices used for ISE proxy.

  • Number of proxy sequences.

  • Number of standalone proxy devices.

  • Total number of devices used for realm proxy.

  • Maximum number of devices used for realm proxy.

  • Minimum number of devices used for realm proxy.

  • Number of devices that are used as proxy.

An integer value of 0 or greater

Telemetry Example File

The following is an example of a Cisco Success Network telemetry file for streaming policy and deployment information about a management center and its managed devices: 

{
    "recordType": "CST_FMC",
    "recordVersion": "7.7.0",
    "recordedAt": 1669918170779,
    "fmc": {
        "aiAssistant": {
            "isAiAssistantEnabled": 0
        },
        "auditLog": {
            "isAuditLogToSyslogEnabled": "disabled"
        },
        "cloud_service": {
            "amp_setting": {
                "enableAutomaticMalwareUpdates": 1,
                "enableDataSharing": 0,
                "lastUpdateTimestamp": 1669841433,
                "licensed": 1,
                "proxyEnabled": 0
            },
            "url_filtering": {
                "cacheTimeout": 0,
                "enableAutomaticUpdates": 1,
                "enableURLFilter": 1,
                "licensed": 1,
                "queryVendors": 2,
                "userPreference": 1
            }
        },
        "deviceInfo": {
            "Apache": {
                "isClientCertAuthEnabled": 0,
                "isDefaultCert": 1
            },
            "CiscoSecurityCloud": {
                "isCiscoSecurityCloudEnabled": 0
            },
            "deviceModel": "Secure Firewall Management Center for VMware",
            "deviceName": "FMC1-FASTPOD",
            "deviceUuid": "052f72b2-6f3e-11ed-af5f-59804da3174c",
            "isSsoEnabled": 0,
            "serialNumber": "None",
            "smartLicenseProductInstanceIdentifier": "9ba0f39d-a6a0-421b-8053-6299fa26f0ab",
            "smartLicenseVirtualAccountName": "ACE2",
            "systemUptime": 263436000,
            "udiProductIdentifier": "FS-VMW-SW-K9",
            "primaryFMCRemoteManagementAccess": "FQDN",
            "secondaryFMCRemoteManagementAccess": "FQDN"
        },
        "emails": [
            "admin@cisco.com"
        ],
        "fmcUpgradeData": {},
        "scheduleTasks": {
            "tasks": [
                {
                    "comment": "This was automatically set up during installation.",
                    "creation_date": 1669656848,
                    "name": "Weekly Software Download",
                    "time_data": {
                        "by_day": [
                            6
                        ],
                        "by_hour": [
                            2
                        ],
                        "by_minute": [
                            "10"
                        ],
                        "by_month": [],
                        "by_month_day": [],
                        "by_set_position": [],
                        "by_week_number": [],
                        "by_year_day": [],
                        "frequency_type": "weekly",
                        "interval": 1,
                        "start_date": "01/05/2019",
                        "support_dst": 1,
                        "timedate": 1546654200,
                        "tz": "America/New_York"
                    },
                    "type_name": "Download Latest Update"
                },
                {
                    "comment": "This was automatically set up during installation.",
                    "creation_date": 1669656852,
                    "name": "Weekly config only backup",
                    "time_data": {
                        "by_day": [
                            0
                        ],
                        "by_hour": [
                            2
                        ],
                        "by_minute": [
                            0
                        ],
                        "by_month": [],
                        "by_month_day": [],
                        "by_set_position": [],
                        "by_week_number": [],
                        "by_year_day": [],
                        "frequency_type": "weekly",
                        "interval": 1,
                        "start_date": "01/06/2019",
                        "support_dst": 1,
                        "timedate": 1546740000,
                        "tz": "America/New_York"
                    },
                    "type_name": "Backup"
                }
            ]
        },
        "versions": {
            "items": [
                {
                    "type": "SOFTWARE",
                    "version": "7.5.0-1475"
                },
                {
                    "lastUpdated": 1669866005000,
                    "type": "SNORT_RULES_DB",
                    "version": "2022-11-28-001-vrt"
                },
                {
                    "lastUpdated": 1669881833000,
                    "type": "VULNERABILITY_DB",
                    "version": "361"
                },
                {
                    "type": "GEOLOCATION_DB",
                    "version": "2022-11-21-101"
                }
            ]
        },
        "fmcVirtualData": {
            "InstanceType": "VM.Standard2.8",
            "Region": "us-phoenix-1",
            "Cloud": "Oracle Cloud"
        }
    },
    "changeManagementWorkflow": {
        "enabled": 1,
        "numberOfApprovers": 2,
        "purgingInterval": 30,
        "isEmailConfigured": 1,
        "totalTicketCount": 20,
        "ticketStatsPerday": {
            "new": 5,
            "inProgress": 2,
            "submitted": 4,
            "approved": 3,
            "rejected": 1,
            "onHold": 1
        }
    },
    "deviceTemplates": {
        "items": [
            {
                "deviceInfo": {
                    "containerStatus": "Standalone",
                    "deviceManager": "FMC",
                    "deviceModel": "Cisco Firepower Threat Defense for VMware",
                    "deviceName": "192.168.7.149",
                    "deviceUuid": "96b75a84-6f3d-11ed-96a6-e2422bc5a2bf",
                    "isConnected": true,
                    "snortEngine": "SNORT3"
                },
                "deviceSettings": {
                    "attemptedRemoteDeployHA": false,
                    "certVisibility": false,
                    "fmcAccessInfo": {
                        "IPAllocationTypeList": [
                            "N/A"
                        ],
                        "accessThrough": "Management interface"
                    },
                    "netFlow": {
                        "netFlowEnabled": false,
                        "numberOfCollectors": 0,
                        "numberOfTrafficClasses": 0
                    },
                    "nszValue": false,
                    "ogsValue": true,
                    "vrfInfo": {
                        "literal": false,
                        "numberOfStaticRoutes": 0,
                        "vrfCount": 0
                    },
                    "blockThreshold": 52,
                    "assignClientApplnsToProcess": true,
                    "tlsFingerprint": true,
                    "showTLSStringInConnEvents": false,
                    "deviceInterfaces": {
                        "interfaceMode": {
                            "numberOfEnabledInterfaces": 3,
                            "numberOfRoutedModeInterfaces": 3
                        },
                        "interfaceTypes": {
                            "numberOfPhysicalInterfaces": 3
                        }
                    },
                    "deviceTemplateApplySpecificInfo": {
                        "templateName": "Temp1",
                        "numberOfDevicesOnboarded": 2,
                        "applyFailureCount": 1,
                        "applySuccessCount": 2,
                        "averageApplicationTimeInSeconds": 14,
                        "numberOfVariables": 2,
                        "numberOfOverrides": 2,
                        "numberOfDevicesAssociated": 3,
                        "numberOfModelMappings": 3,
                        "numberOfInterfaces": 3,
                        "managementType": "MGMT_MANAGED",
                        "isLeafDomain": true,
                        "isTemplateGeneratedFromDevice": true,
                        "sourceDeviceUuidForTemplateGeneration": "6f999b12-d79a-11ee-829d-972639a70220",
                        "templatePolicyData": {
                            "isBgpEnabled": true,
                            "isOspfEnabled": true,
                            "isOspfv3Enabled": true,
                            "isRipEnabled": true,
                            "numberOfPolicyBasedVpn": 3,
                            "numberOfRouteBasedVpnPolicies": 2,
                            "numberOfSdWanTopologies": 3,
                            "assignedSharedPolicies": [
                                "PrefilterPolicy",
                                "AccessPolicy"
                            ]
                        }
                    }
                },
                "malware": {
                    "malwareLicenseUsed": true,
                    "numberOfACRulesNeedMalwareLicense": 1,
                    "numberOfACRulesWithMalware": 1
                },
                "threat": {
                    "acPolicyHasIntrusion": false,
                    "acRulesWithIntrusion": 1,
                    "isTIDEnabled": true,
                    "numberOfACRulesNeedThreatLicense": 0,
                    "threatLicenseUsed": true
                },
                "urlFiltering": {
                    "acRulesWithURLFiltering": 0,
                    "numberOfACRulesNeedThreatLicense": 0,
                    "numberOfACRulesNeedURLLicense": 0,
                    "urlFilteringLicenseUsed": true
                }
            }
        ]
    },
    "managedDevices": {
        "items": [
            {
                "deviceInfo": {
                    "containerStatus": "Standalone",
                    "deviceManager": "FMC",
                    "deviceModel": "Cisco Firepower Threat Defense for VMware",
                    "deviceName": "192.168.7.149",
                    "deviceUuid": "96b75a84-6f3d-11ed-96a6-e2422bc5a2bf",
                    "deviceVersion": "7.5.0-1475",
                    "isConnected": true,
                    "serialNumber": "9AEU1PEM9P2",
                    "snort3Toggled": false,
                    "snort3ToggledWithComment": "",
                    "snortEngine": "SNORT3",
                    "remoteBranchConnectivity": "Inbound"
                },
                "deviceSettings": {
                    "attemptedRemoteDeployHA": false,
                    "certVisibility": false,
                    "fmcAccessInfo": {
                        "IPAllocationTypeList": [
                            "N/A"
                        ],
                        "accessThrough": "Management interface"
                    },
                    "mgmtInterfaceConvergence": true,
                    "netFlow": {
                        "netFlowEnabled": false,
                        "numberOfCollectors": 0,
                        "numberOfTrafficClasses": 0
                    },
                    "nszValue": false,
                    "ogsValue": true,
                    "vrfInfo": {
                        "literal": false,
                        "numberOfStaticRoutes": 0,
                        "vrfCount": 0
                    },
                    "blockThreshold": 52,
                    "assignClientApplnsToProcess": true,
                    "tlsFingerprint": true,
                    "showTLSStringInConnEvents": false,
                    "onboardingMethod": "USING_SERIAL_NUMBER_VIA_CDO",
                    "deviceTemplateApplyInfo": {
                        "isRegisteredByTemplateFlow": false
                    }
                },
                "ftdMemoryCGroupStatistics": [
                    {
                        "meanMemorySwapUsageBytes": 5.207097946E7,
                        "meanMemoryUsageBytes": 5.206894039E7,
                        "memoryCGroupName": "System/ProcessHigh",
                        "peakMemorySwapUsageBytes": 1574682624,
                        "peakMemoryUsageBytes": 1574674432,
                        "stdDevMemorySwapUsage": 957106.41,
                        "stdDevMemoryUsage": 954302.27
                    },
                    {
                        "meanMemorySwapUsageBytes": 2.2863022975E8,
                        "meanMemoryUsageBytes": 228563747,
                        "memoryCGroupName": "System/ProcessMedium",
                        "peakMemorySwapUsageBytes": 965337088,
                        "peakMemoryUsageBytes": 960196608,
                        "stdDevMemorySwapUsage": 3854598.89,
                        "stdDevMemoryUsage": 2914561.18
                    },
                    {
                        "meanMemorySwapUsageBytes": 9.8453439805E8,
                        "meanMemoryUsageBytes": 9.8453448572E8,
                        "memoryCGroupName": "privileged",
                        "peakMemorySwapUsageBytes": 987504640,
                        "peakMemoryUsageBytes": 987504640,
                        "stdDevMemorySwapUsage": 31431.74,
                        "stdDevMemoryUsage": 31265.9
                    },
                    {
                        "meanMemorySwapUsageBytes": 286504.12,
                        "meanMemoryUsageBytes": 286523.87,
                        "memoryCGroupName": "normal",
                        "peakMemorySwapUsageBytes": 36343808,
                        "peakMemoryUsageBytes": 36343808,
                        "stdDevMemorySwapUsage": 75561.78,
                        "stdDevMemoryUsage": 75584.27
                    },
                    {
                        "meanMemorySwapUsageBytes": 3502151.01,
                        "meanMemoryUsageBytes": 3502080,
                        "memoryCGroupName": "restricted",
                        "peakMemorySwapUsageBytes": 77656064,
                        "peakMemoryUsageBytes": 23068672,
                        "stdDevMemorySwapUsage": 2695.67,
                        "stdDevMemoryUsage": 0
                    },
                    {
                        "meanMemorySwapUsageBytes": 0,
                        "meanMemoryUsageBytes": 0,
                        "memoryCGroupName": "rest-agent",
                        "peakMemorySwapUsageBytes": 0,
                        "peakMemoryUsageBytes": 0,
                        "stdDevMemorySwapUsage": 0,
                        "stdDevMemoryUsage": 0
                    },
                    {
                        "meanMemorySwapUsageBytes": 5.2469167188E8,
                        "meanMemoryUsageBytes": 5.2469178715E8,
                        "memoryCGroupName": "Detection-Snort3",
                        "peakMemorySwapUsageBytes": 555659264,
                        "peakMemoryUsageBytes": 555659264,
                        "stdDevMemorySwapUsage": 123621.9,
                        "stdDevMemoryUsage": 123587.29
                    },
                    {
                        "meanMemorySwapUsageBytes": 1.92944950325E9,
                        "meanMemoryUsageBytes": 1.92877869444E9,
                        "memoryCGroupName": "System",
                        "peakMemorySwapUsageBytes": 3940163584,
                        "peakMemoryUsageBytes": 3192242176,
                        "stdDevMemorySwapUsage": 1.8285574795E8,
                        "stdDevMemoryUsage": 1.8113682802E8
                    },
                    {
                        "meanMemorySwapUsageBytes": 0,
                        "meanMemoryUsageBytes": 0,
                        "memoryCGroupName": "System/default",
                        "peakMemorySwapUsageBytes": 0,
                        "peakMemoryUsageBytes": 0,
                        "stdDevMemorySwapUsage": 0,
                        "stdDevMemoryUsage": 0
                    },
                    {
                        "meanMemorySwapUsageBytes": 1.7099025256E8,
                        "meanMemoryUsageBytes": 1.7097078922E8,
                        "memoryCGroupName": "System/Database",
                        "peakMemorySwapUsageBytes": 253714432,
                        "peakMemoryUsageBytes": 228401152,
                        "stdDevMemorySwapUsage": 839322.91,
                        "stdDevMemoryUsage": 398360.35
                    },
                    {
                        "meanMemorySwapUsageBytes": 0,
                        "meanMemoryUsageBytes": 0,
                        "memoryCGroupName": "qemu",
                        "peakMemorySwapUsageBytes": 0,
                        "peakMemoryUsageBytes": 0,
                        "stdDevMemorySwapUsage": 0,
                        "stdDevMemoryUsage": 0
                    },
                    {
                        "meanMemorySwapUsageBytes": 1.7874486112E8,
                        "meanMemoryUsageBytes": 1.7870017999E8,
                        "memoryCGroupName": "System/ActionQueueScrape",
                        "peakMemorySwapUsageBytes": 1487872000,
                        "peakMemoryUsageBytes": 1446891520,
                        "stdDevMemorySwapUsage": 5783036.92,
                        "stdDevMemoryUsage": 5530633.87
                    },
                    {
                        "meanMemorySwapUsageBytes": 5.0285961409E8,
                        "meanMemoryUsageBytes": 5.0267548869E8,
                        "memoryCGroupName": "System/ProcessLow",
                        "peakMemorySwapUsageBytes": 1205043200,
                        "peakMemoryUsageBytes": 751620096,
                        "stdDevMemorySwapUsage": 1.7946871779E8,
                        "stdDevMemoryUsage": 1.7939477583E8
                    },
                    {
                        "meanMemorySwapUsageBytes": 7.9608501366E8,
                        "meanMemoryUsageBytes": 7.9573099445E8,
                        "memoryCGroupName": "System/SFDataCorrelator",
                        "peakMemorySwapUsageBytes": 2138398720,
                        "peakMemoryUsageBytes": 1774387200,
                        "stdDevMemorySwapUsage": 3.437121236E7,
                        "stdDevMemoryUsage": 3.164608653E7
                    }
                ],
                "ftdProcessExitStatistics": [
                    {
                        "managedRestarts": 0,
                        "processName": "adi",
                        "unexpectedExits": 0
                    }
                ],
                "ftdUpgradeData": {
                    "hotfixesApplied": "",
                    "baseVersion": "7.5.0-10",
                    "targetVersion": "7.5.1-38",
                    "upgradePackageFilename": "Cisco_FTD_Upgrade-7.5.1-38.sh.REL.tar",
                    "updateType": "major",
                    "upgradeStatus": [
                        {
                            "status": "FAILED",
                            "message": "[230307 06:10:33:875] Starting script: /ngfw/var/sf/upgrade-scripts/7.5.1/200_pre/001_check_reg.pl\nEntering 001_check_reg.pl\nFatal error: Device registration in progress. Cannot continue. Please wait for Device registration to complete. \nDevice registration in progress. Cannot continue. at /ngfw/var/sf/upgrade-scripts/7.5.1/200_pre/001_check_reg.pl line 18.\n",
                            "startTime": "Tue, 07 Mar 2023 06:08:45 UTC",
                            "endTime": "Tue, 07 Mar 2023 06:10:35 UTC",
                            "elapsedTimeInSeconds": 110,
                            "failedScript": [
                                "/ngfw/var/sf/upgrade-scripts/7.5.1/200_pre/001_check_reg.pl"
                            ],
                            "subState": "FTD_UPGRADE_FAILED",
                            "cancelOnFailure": true,
                            "scriptExecutionTime": {
                                "scripts": [
                                    {
                                        "name": "000_start/000_00_run_cli_kick_start.sh",
                                        "executionTime": 1
                                    },
                                    {
                                        "name": "000_start/000_0_start_upgrade_status_api_stack.sh",
                                        "executionTime": 0
                                    },
                                    {
                                        "name": "000_start/000_check_platform_support.sh",
                                        "executionTime": 0
                                    },
                                    {
                                        "name": "000_start/000_check_update.sh",
                                        "executionTime": 0
                                    },
                                    {
                                        "name": "000_start/000_db_schema_check.sh",
                                        "executionTime": 0
                                    },
                                    {
                                        "name": "000_start/100_start_messages.sh",
                                        "executionTime": 0
                                    },
                                    {
                                        "name": "000_start/105_check_model_number.sh",
                                        "executionTime": 0
                                    },
                                    {
                                        "name": "000_start/107_version_check.sh",
                                        "executionTime": 0
                                    },
                                    {
                                        "name": "000_start/110_DB_integrity_check.sh",
                                        "executionTime": 2
                                    },
                                    {
                                        "name": "000_start/113_EO_integrity_check.pl",
                                        "executionTime": 2
                                    },
                                    {
                                        "name": "000_start/200_clean_csp_files.sh",
                                        "executionTime": 0
                                    },
                                    {
                                        "name": "000_start/250_check_system_files.sh",
                                        "executionTime": 0
                                    },
                                    {
                                        "name": "000_start/320_remove_backups.sh",
                                        "executionTime": 0
                                    },
                                    {
                                        "name": "000_start/101_run_pruning.pl",
                                        "executionTime": 36
                                    },
                                    {
                                        "name": "000_start/000_00_run_troubleshoot.sh",
                                        "executionTime": 67
                                    },
                                    {
                                        "name": "000_start/410_check_disk_space.sh",
                                        "executionTime": 2
                                    }
                                ]
                            },
                            "ActionQueueStatus": "FAILED",
                            "GroupType": "HA/standby ready",
                            "PatchHistory": "7.5.0-10",
                            "SuccessfulReadinessTimestamp": "Tue, 07 Mar 2023 06:06:04 UTC",
                            "VarPartitionConsumptionInKB": 80
                        }
                    ],
                    "cancelStatus": [
                        {
                            "status": "COMPLETED",
                            "message": "Device returned to previous version: 7.5.0-10.",
                            "startTime": "Tue, 07 Mar 2023 06:10:37 UTC",
                            "endTime": "Tue, 07 Mar 2023 06:10:40 UTC",
                            "elapsedTimeInSeconds": 3
                        }
                    ]
                },
                "malware": {
                    "malwareLicenseUsed": true,
                    "numberOfACRulesNeedMalwareLicense": 1,
                    "numberOfACRulesWithMalware": 1
                },
                "snort3RuntimeStatistics": {
                    "firewallStatistics": {
                        "dce_rpcAllowedFlows": 0,
                        "dce_rpcDeniedFlows": 0,
                        "dnp3AllowedFlows": 0,
                        "dnp3DeniedFlows": 0,
                        "dnsAllowedFlows": 0,
                        "dnsDeniedFlows": 0,
                        "ftp_telnetAllowedFlows": 0,
                        "ftp_telnetDeniedFlows": 0,
                        "http2AllowedFlows": 0,
                        "http2DeniedFlows": 0,
                        "httpAllowedFlows": 0,
                        "httpDeniedFlows": 0,
                        "imapAllowedFlows": 0,
                        "imapDeniedFlows": 0,
                        "modbusAllowedFlows": 0,
                        "modbusDeniedFlows": 0,
                        "otherAllowedFlows": 2216,
                        "otherDeniedFlows": 0,
                        "popAllowedFlows": 0,
                        "popDeniedFlows": 0,
                        "quicAllowedFlows": 0,
                        "quicDeniedFlows": 0,
                        "rpcAllowedFlows": 0,
                        "rpcDeniedFlows": 0,
                        "sipAllowedFlows": 0,
                        "sipDeniedFlows": 0,
                        "smtpAllowedFlows": 0,
                        "smtpDeniedFlows": 0,
                        "sshAllowedFlows": 0,
                        "sshDeniedFlows": 0,
                        "sslAllowedFlows": 0,
                        "sslDeniedFlows": 0
                    },
                    "ftpStatistics": {
                        "ftpDataBytesProcessed": 0,
                        "maxFTPsessions": 0
                    },
                    "http2Statistics": {
                        "http2DataBytesProcessed": 0,
                        "maxHTTP2Sessions": 0
                    },
                    "httpStatistics": {
                        "httpDataBytesProcessed": 0,
                        "maxHTTPSessions": 325
                    },
                    "popStatistics": {
                        "maxPOPSessions": 0,
                        "popDataBytesProcessed": 0
                    },
                    "sessionStatistics": {
                        "highCpuUtilisedElephantFlows": 0,
                        "ipDataBytesProcessed": 27792,
                        "maxElephantFlows": 0,
                        "maxIPSessions": 10,
                        "maxTCPSessions": 13675,
                        "maxUDPSessions": 120,
                        "midStreamSessions": 0,
                        "prunedSessions": 2216,
                        "systemUnderDuress": 0,
                        "tcpDataBytesProcessed": 0,
                        "totalElephantFlowsBypassed": 0,
                        "totalElephantFlowsDethrottled": 0,
                        "totalElephantFlowsExempted": 0,
                        "totalElephantFlowsThrottled": 0,
                        "udpDataBytesProcessed": 0
                    },
                    "smbStatistics": {
                        "totalEncryptedSessions": 0,
                        "totalMultichannelSessions": 0,
                        "totalSMB1Sessions": 0,
                        "totalSMB2Sessions": 0
                    },
                    "smtpStatistics": {
                        "maxSMTPSessions": 5,
                        "smtpDataBytesProcessed": 0
                    },
                    "snortLatency": {
                        "maxTimeSpent": 0,
                        "packetTimeouts": 0,
                        "ruleEvaluationsExceededLatency": 0,
                        "rulesReenabled": 0,
                        "totalNumberOfRuleEvalauations": 4542,
                        "totalPacketsMonitored": 0,
                        "totalTimeSpentInDetection": 0
                    },
                    "sshStatistics": {
                        "maxSshSessions": 80,
                        "sshDataBytesProcessed": 0
                    },
                    "sslStatistics": {
                        "maxSslSessions": 0,
                        "packetsProcessed": 0,
                        "sessionsIgnored": 0
                    },
                    "xtlsStatistics": {
                        "badCertificate": [],
                        "cert_dkk_verdicts": 0,
                        "cert_dnd_verdicts": 0,
                        "cert_dp_verdicts": 0,
                        "cert_dr_verdicts": 0,
                        "cert_drk_verdicts": 0,
                        "certificateUnknown": [],
                        "client_hello_definitive_dnd": 0,
                        "decrypted_tls_1_3_flows": 0,
                        "droppedCiphers": [],
                        "flow_created": 0,
                        "flow_over_subscriptions": 0,
                        "negotiatedCiphers": [],
                        "negotiated_ssl_version_3_0": 0,
                        "negotiated_tls_version_1_0": 0,
                        "negotiated_tls_version_1_1": 0,
                        "negotiated_tls_version_1_2": 0,
                        "negotiated_tls_version_1_3": 0,
                        "requested_esni": 0,
                        "sh_session_resume": 0,
                        "unknownCertificateAuthority": [],
                        "unsupportedCiphers": []
                    }
                },
                "eveHandlerStatistics": {
                    "eveExceptionListRulesCounter": {
                        "dstContextAndProcessname": 1,
                        "numberOfRules": 6,
                        "onlyDstContext": 3,
                        "onlyDstIp": 3,
                        "onlyProcessname": 2
                    }
                },
                "linaStats": {
                    "blocks": [
                        {
                            "cnt": 164,
                            "low": 164,
                            "max": 164,
                            "size": "2560"
                        },
                        {
                            "cnt": 4133,
                            "low": 4132,
                            "max": 4248,
                            "size": "256"
                        },
                        {
                            "cnt": 100,
                            "low": 100,
                            "max": 100,
                            "size": "16384"
                        },
                        {
                            "cnt": 100,
                            "low": 100,
                            "max": 100,
                            "size": "8192"
                        },
                        {
                            "cnt": 100,
                            "low": 100,
                            "max": 100,
                            "size": "9344"
                        },
                        {
                            "cnt": 100,
                            "low": 100,
                            "max": 100,
                            "size": "4096"
                        },
                        {
                            "cnt": 950,
                            "low": 950,
                            "max": 950,
                            "size": "0"
                        },
                        {
                            "cnt": 16,
                            "low": 16,
                            "max": 16,
                            "size": "65664"
                        },
                        {
                            "cnt": 1208,
                            "low": 1206,
                            "max": 1208,
                            "size": "80"
                        },
                        {
                            "cnt": 100,
                            "low": 100,
                            "max": 100,
                            "size": "4"
                        },
                        {
                            "cnt": 6272,
                            "low": 6271,
                            "max": 6274,
                            "size": "1550"
                        },
                        {
                            "cnt": 2100,
                            "low": 2100,
                            "max": 2100,
                            "size": "2048"
                        }
                    ],
                    "diskUsage": {
                        "freeDiskBytes": 8569335808,
                        "totalDiskBytes": 8571076608,
                        "usedDiskBytes": 1740800
                    },
                    "failoverInfo": {
                        "myRole": "Primary",
                        "myState": "active",
                        "peerRole": "Secondary",
                        "peerSerialNum": "9A2TT9Q1499",
                        "peerState": "standby"
                    },
                    "featureStatus": [
                        {
                            "feature": "inspection-icmp",
                            "status": "enabled"
                        },
                        {
                            "feature": "firewall_user_authentication",
                            "status": "enabled"
                        },
                        {
                            "feature": "inspection-sip",
                            "status": "enabled"
                        },
                        {
                            "feature": "inspection-snmp",
                            "status": "enabled"
                        },
                        {
                            "feature": "threat_detection_basic_threat",
                            "status": "enabled"
                        },
                        {
                            "feature": "threat_detection_stat_access_list",
                            "status": "enabled"
                        },
                        {
                            "feature": "inspection-ftp",
                            "status": "enabled"
                        },
                        {
                            "feature": "aaa-proxy-limit",
                            "status": "enabled"
                        },
                        {
                            "feature": "inspection-netbios",
                            "status": "enabled"
                        },
                        {
                            "feature": "inspection-skinny",
                            "status": "enabled"
                        },
                        {
                            "feature": "inspection-xdmcp",
                            "status": "enabled"
                        },
                        {
                            "feature": "mobike",
                            "status": "enabled"
                        },
                        {
                            "feature": "inspection-rsh",
                            "status": "enabled"
                        },
                        {
                            "feature": "inspection-tftp",
                            "status": "enabled"
                        },
                        {
                            "feature": "inspection-dns",
                            "status": "enabled"
                        },
                        {
                            "feature": "IKEv2",
                            "status": "enabled"
                        },
                        {
                            "feature": "inspection-h323",
                            "status": "enabled"
                        },
                        {
                            "feature": "authentication-aaa",
                            "status": "enabled"
                        },
                        {
                            "feature": "inspection-sqlnet",
                            "status": "enabled"
                        },
                        {
                            "feature": "inspection-sunrpc",
                            "status": "enabled"
                        },
                        {
                            "feature": "inspection-rtsp",
                            "status": "enabled"
                        },
                        {
                            "feature": "authentication-saml",
                            "status": "enabled"
                        },
                        {
                            "feature": "sctp-engine",
                            "status": "enabled"
                        }
                    ],
                    "memoryUsage": {
                        "freeMemoryInBytes": 1359633808,
                        "totalMemoryInBytes": 4067457104,
                        "usedMemoryInBytes": 2707823296
                    },
                    "loginHistory": [
                        {
                            "lastSuccessfulLogin": "11:48:24 UTC Nov 10 2023",
                            "loginTimesinDays": "10 times in last 91 days"
                        }
                    ],
                    "perfMonStat": [
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "URLAccess"
                        },
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "AAAAccount"
                        },
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "AAAAuthor"
                        },
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "TCPInterceptAttempts"
                        },
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "UDPConns"
                        },
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "TCPInterceptEstablishedConns"
                        },
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "Xlates"
                        },
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "TCPEmbryonicConnsTimeout"
                        },
                        {
                            "averagePerSec": -1,
                            "currentPerSec": -1,
                            "perfmonStatsKey": "validConnsRateInTcpIntercept"
                        },
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "URLServerReq"
                        },
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "Connections"
                        },
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "TCPFixup"
                        },
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "AAAAuthen"
                        },
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "TCPConns"
                        },
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "FTPFixup"
                        },
                        {
                            "averagePerSec": 0,
                            "currentPerSec": 0,
                            "perfmonStatsKey": "HTTPFixup"
                        }
                    ],
                    "resourceUsage": [
                        {
                            "context": "System",
                            "current": 0,
                            "denied": 0,
                            "limit": "N/A",
                            "peak": 5,
                            "resource": "Hosts"
                        },
                        {
                            "context": "System",
                            "current": 0,
                            "denied": 0,
                            "limit": "N/A",
                            "peak": 194,
                            "resource": "Syslogs[rate]"
                        },
                        {
                            "context": "System",
                            "current": 0,
                            "denied": 0,
                            "limit": "250000",
                            "peak": 5,
                            "resource": "Conns"
                        },
                        {
                            "context": "System",
                            "current": 0,
                            "denied": 0,
                            "limit": "N/A",
                            "peak": 2,
                            "resource": "Inspects[rate]"
                        },
                        {
                            "context": "System",
                            "current": 10,
                            "denied": 0,
                            "limit": "unlimited",
                            "peak": 13,
                            "resource": "Routes"
                        }
                    ]
                },
                "sslCacheStats": {},
                "sslUsage": {
                    "isSSLEnabled": true
                },
                "ssl_rules_counter": {
                    "block": {
                        "apps": 0,
                        "cert_statuses": 0,
                        "cipher_suites": 0,
                        "decryption_certs": 0,
                        "dst_networks": 0,
                        "dst_services": 0,
                        "dst_zones": 0,
                        "external_certs": 0,
                        "issuer_dns": 0,
                        "logging": 0,
                        "replace_public_key": 0,
                        "src_networks": 0,
                        "src_services": 0,
                        "src_zones": 0,
                        "ssl_versions": 0,
                        "subject_dns": 0,
                        "urls": 0,
                        "users": 0,
                        "vlan_tags": 0
                    },
                    "block_with_reset": {
                        "apps": 0,
                        "cert_statuses": 0,
                        "cipher_suites": 0,
                        "decryption_certs": 0,
                        "dst_networks": 0,
                        "dst_services": 0,
                        "dst_zones": 0,
                        "external_certs": 0,
                        "issuer_dns": 0,
                        "logging": 0,
                        "replace_public_key": 0,
                        "src_networks": 0,
                        "src_services": 0,
                        "src_zones": 0,
                        "ssl_versions": 0,
                        "subject_dns": 0,
                        "urls": 0,
                        "users": 0,
                        "vlan_tags": 0
                    },
                    "decrypt_known_key": {
                        "apps": 0,
                        "cert_statuses": 0,
                        "cipher_suites": 0,
                        "decryption_certs": 0,
                        "dst_networks": 0,
                        "dst_services": 0,
                        "dst_zones": 0,
                        "external_certs": 0,
                        "issuer_dns": 0,
                        "logging": 0,
                        "replace_public_key": 0,
                        "src_networks": 0,
                        "src_services": 0,
                        "src_zones": 0,
                        "ssl_versions": 0,
                        "subject_dns": 0,
                        "urls": 0,
                        "users": 0,
                        "vlan_tags": 0
                    },
                    "decrypt_resign": {
                        "apps": 0,
                        "cert_statuses": 0,
                        "cipher_suites": 0,
                        "decryption_certs": 0,
                        "dst_networks": 0,
                        "dst_services": 0,
                        "dst_zones": 0,
                        "external_certs": 0,
                        "issuer_dns": 0,
                        "logging": 0,
                        "replace_public_key": 0,
                        "src_networks": 0,
                        "src_services": 0,
                        "src_zones": 0,
                        "ssl_versions": 0,
                        "subject_dns": 0,
                        "urls": 0,
                        "users": 0,
                        "vlan_tags": 0
                    },
                    "do_not_decrypt": {
                        "apps": 0,
                        "cert_statuses": 0,
                        "cipher_suites": 0,
                        "decryption_certs": 0,
                        "dst_networks": 0,
                        "dst_services": 0,
                        "dst_zones": 0,
                        "external_certs": 0,
                        "issuer_dns": 0,
                        "logging": 0,
                        "replace_public_key": 0,
                        "src_networks": 0,
                        "src_services": 0,
                        "src_zones": 0,
                        "ssl_versions": 0,
                        "subject_dns": 0,
                        "urls": 0,
                        "users": 0,
                        "vlan_tags": 0
                    },
                    "monitor": {
                        "apps": 0,
                        "cert_statuses": 0,
                        "cipher_suites": 0,
                        "decryption_certs": 0,
                        "dst_networks": 0,
                        "dst_services": 0,
                        "dst_zones": 0,
                        "external_certs": 0,
                        "issuer_dns": 0,
                        "logging": 0,
                        "replace_public_key": 0,
                        "src_networks": 0,
                        "src_services": 0,
                        "src_zones": 0,
                        "ssl_versions": 0,
                        "subject_dns": 0,
                        "urls": 0,
                        "users": 0,
                        "vlan_tags": 0
                    }
                },
                "threat": {
                    "acPolicyHasIntrusion": false,
                    "acRulesWithIntrusion": 1,
                    "isTIDEnabled": true,
                    "numberOfACRulesNeedThreatLicense": 0,
                    "threatLicenseUsed": true
                },
                "ftdModelMigrationStatistics": [
                    {
                        "elapsedTime": 6366,
                        "errors": "",
                        "isCompleted": true,
                        "isReset": false,
                        "numberOfInterfaces": 18,
                        "sourceContainerStatus": "Standalone",
                        "sourceDeviceModel": "Cisco Firepower 2130 Threat Defense",
                        "sourceDeviceUuid": "a8eee3f4-aa19-11ed-bda9-857788e8d45a",
                        "sourceDeviceVersion": "7.2.0",
                        "targetContainerStatus": "Standalone",
                        "targetDeviceModel": "Cisco Secure Firewall 3105 Threat Defense",
                        "targetDeviceVersion": "7.3.0"
                    }
                ],
                "urlFiltering": {
                    "acRulesWithURLFiltering": 0,
                    "numberOfACRulesNeedThreatLicense": 0,
                    "numberOfACRulesNeedURLLicense": 0,
                    "urlFilteringLicenseUsed": true
                },
                "ftdVirtualData": {
                    "DataInterfaceCount": 2,
                    "Hypervisor": "Oracle Cloud",
                    "InstanceType": "VM.Standard2.8",
                    "InterfaceBandwidth": "1000 Mbps",
                    "LicenseTier": "FTDv50",
                    "Memory": "120832 MB",
                    "NetworkDriver": "net_virtio",
                    "Region": "us-phoenix-1",
                    "vCPU": "16"
                }
            }
        ]
    },
    "policyData": {
        "AccessPolicyInfo": [
            {
                "assignedSnort2Devices": 0,
                "assignedSnort3Devices": 1,
                "customIpsPolicyCount": 1,
                "customNapPolicyCount": 1,
                "enabledIpsSyslog": false,
                "encryptedVisibilityEngine": true,
                "overrideSyslogDestination": false,
                "parentPolicyUUID": "8589935770",
                "policyUUID": "8589935771",
                "portScanSettings": {
                    "inspectionMode": "Disabled"
                },
                "systemIpsPolicyCount": 1,
                "systemNapPolicyCount": 0
            }
        ],
        "MigratedSnort3IntrusionPolicyInfo": {
            "migratedPolicies": 0,
            "policiesFailureCount": 0,
            "policiesFailureReason": [
                "N/A"
            ],
            "policiesPartialFailureCount": 0,
            "policiesPartialFailureReason": [
                "N/A"
            ],
            "policiesSuccessCount": 0
        },
        "PrefilterPolicyInfo": [
            {
                "assignedDevices": 1,
                "isSytemDefined": true
            }
        ],
        "Snort2IntrusionPolicyInfo": {
            "Snort2IpsList": [
                {
                    "isSystemDefined": true,
                    "policyName": "No Rules Active",
                    "policyUUID": "abba416e-3127-11da-9f4c-d463d19aa744"
                },
                {
                    "assignedSnort2Devices": 0,
                    "customEnabledRules": 0,
                    "dynamicConfiguredRules": 0,
                    "firepowerRecommendationsUsed": false,
                    "globalThresholdDisabled": false,
                    "globalThresholdUpdated": false,
                    "isSystemDefined": false,
                    "overridenRules": 0,
                    "parentPolicyUUID": "abba416e-3127-11da-9f4c-d463d19aa744",
                    "policyUUID": "765f93a0-6f42-11ed-8d96-2e944da3174c",
                    "sensitiveDataDetectionEnabled": false,
                    "snmpEnabledRules": 0,
                    "suppressionConfiguredRules": 0,
                    "thresholdConfiguredRules": 0
                }
            ],
            "customClassification": 0,
            "customClassificationInUse": 0,
            "customRuleWithPass": 0,
            "customRuleWithReplace": 0,
            "customRules": 0
        },
        "Snort2NetworkAnalysisPolicyInfo": [
            {
                "assignedSnort2Devices": 0,
                "customInstancesAdded": [
                    "N/A"
                ],
                "isSystemDefined": false,
                "lastModifiedTimestamp": "2022-11-28 17:31:05",
                "parentPolicyUUID": "abba00a0-cf29-425c-9d75-49699aadc898",
                "policyUUID": "703e0600-6f42-11ed-8d96-2e944da3174c",
                "userDisabledInspectors": [
                    "N/A"
                ],
                "userEditedInspectors": [
                    "N/A"
                ],
                "userEnabledInspectors": [
                    "N/A"
                ]
            }
        ],
        "Snort3IntrusionPolicyInfo": {
            "Snort3IpsList": [
                {
                    "FirepowerRecommendationsUsed": false,
                    "assignedSnort3Devices": 1,
                    "enabledCustomRuleGroupCount": 0,
                    "excludedRuleGroups": [],
                    "excludedRuleGroupsCount": 0,
                    "includedRuleGroups": [],
                    "includedRuleGroupsCount": 0,
                    "overridenRuleGroups": [],
                    "overridenRuleGroupsCount": 0,
                    "overridenRules": 4,
                    "parentPolicyUUID": "7005",
                    "policyUUID": "8589935680"
                }
            ],
            "customRuleGroups": 1,
            "customRules": 4,
            "rulesWithSuppression": 0,
            "rulesWithThreshold": 0
        },
        "Snort3NetworkAnalysisPolicyInfo": [
            {
                "assignedSnort3Devices": 1,
                "customInstancesAdded": [
                    "N/A"
                ],
                "defaultInstancesEdited": [
                    "N/A"
                ],
                "parentPolicyUUID": "7303",
                "policyUUID": "8589935556",
                "userDisabledInspectors": [
                    "N/A"
                ],
                "userEditedInspectors": [
                    "N/A"
                ],
                "userEnabledInspectors": [
                    "N/A"
                ]
            }
        ],
        "ZtnaPolicyInfo": [
            {
                "appSSLcertificates": 1,
                "applicationGroups": 1,
                "appsUsingFilePolicy": 3,
                "appsUsingIPS": 1,
                "assignedDevices": 0,
                "identityProviders": [
                    "www.okta.com"
                ],
                "interfaceObjects": 2,
                "totalApplications": 3,
                "ungroupedApplications": 2
            },
            {
                "appSSLcertificates": 1,
                "applicationGroups": 2,
                "appsUsingFilePolicy": 4,
                "appsUsingIPS": 4,
                "assignedDevices": 0,
                "identityProviders": [
                    "www.okta.com"
                ],
                "interfaceObjects": 2,
                "totalApplications": 4,
                "ungroupedApplications": 2
            }
        ]
    },
    "deploymentData": {},
    "analysis": {
        "cloudEventConfig": {
            "excludedDevices": 0,
            "sendingConnection": false,
            "sendingConnectionAll": false,
            "sendingDiscovery": false,
            "sendingEvents": false,
            "sendingFile": false,
            "sendingIntrusion": false,
            "sendingPackets": false
        },
        "crossLaunchInfo": {
            "count": 28,
            "enabledCount": 28,
            "iocInfo": [
                {
                    "domain": 10,
                    "ip": 9,
                    "sha256": 9
                }
            ]
        },
        "eventCount": {
            "fileTotal": 0,
            "ipsAlert": 1045,
            "ipsBlock": 0,
            "ipsDrop": 0,
            "ipsDropped": 0,
            "ipsPartialBlock": 0,
            "ipsPartiallyDropped": 0,
            "ipsReact": 0,
            "ipsReject": 0,
            "ipsRewrite": 0,
            "ipsTotal": 1045,
            "ipsWouldBlock": 0,
            "ipsWouldDrop": 0,
            "ipsWouldHaveDropped": 0,
            "ipsWouldReact": 0,
            "ipsWouldReject": 0,
            "ipsWouldRewrite": 0,
            "malwareBlocked": 0,
            "malwareTotal": 0,
            "networkDiscoveryHost": 1198
        },
        "savedSearchesAndReportUsageMetrics": {
            "availableGeneratedReportsCount": 0,
            "customReportTemplateCount": 0,
            "numberOfReportTemplatesUsingUserDefinedSavedSearches": 0,
            "savedSearchesCount": 98,
            "scheduledReportTaskCount": 0,
            "userDefinedSavedSearchesCount": 0
        },
        "stealthwatchConfig": {
            "crossLaunchEnabled": 0,
            "hasLogHost": 0,
            "isLinaLoggingEnabled": 0,
            "isOneBox": 0,
            "numLogHosts": 0,
            "numUnusedLogHosts": 0,
            "storeEventsFmc": 1
        }
    },
    "theme": {
        "light": 10
    },
    "SSLStats": {
        "action": {
            "block": 0,
            "block_with_reset": 0,
            "decrypt_resign_self_signed": 0,
            "decrypt_resign_self_signed_replace_key_only": 0,
            "decrypt_resign_signed_cert": 0,
            "decrypt_with_known_key": 0,
            "do_not_decrypt": 0
        },
        "cache_status": {
            "cached_session": 0,
            "cert_validation_cache_hit": 0,
            "cert_validation_cache_miss": 0,
            "orig_cert_cache_hit": 0,
            "orig_cert_cache_miss": 0,
            "resigned_cert_cache_hit": 0,
            "resigned_cert_cache_miss": 0,
            "session_cache_hit": 0,
            "session_cache_miss": 0
        },
        "cert_status": {
            "cert_expired": 0,
            "cert_invalid_issuer": 0,
            "cert_invalid_signature": 0,
            "cert_not_checked": 0,
            "cert_not_yet_valid": 0,
            "cert_revoked": 0,
            "cert_self_signed": 0,
            "cert_unknown": 0,
            "cert_valid": 0
        },
        "failure_reason": {
            "decryption_error": 0,
            "handshake_error_before_verdict": 0,
            "handshake_error_during_verdict": 0,
            "ssl_compression": 0,
            "uncached_session": 0,
            "undecryptable_in_passive_mode": 0,
            "unknown_cipher_suite": 0,
            "unsupported_cipher_suite": 0
        },
        "version": {
            "ssl_v20": 0,
            "ssl_v30": 0,
            "ssl_version_unknown": 0,
            "tls_v10": 0,
            "tls_v11": 0,
            "tls_v12": 0,
            "tls_v13": 0
        }
    },
    "snortRestart": {
        "appDetectorSnortRestartCnt": 0,
        "appSnortRestartCnt": 0
    },
    "localUrlCount": {
        "items": []
    },
    "vpnData": {
        "certificate": {
            "certificateEnrollmentESTObjects": 0,
            "certificateEnrollmentManualObjects": 0,
            "certificateEnrollmentPKCS12Objects": 0,
            "certificateEnrollmentSCEPObjects": 0,
            "certificateEnrollmentSelfSignedObjects": 0,
            "certificateEnrollments": 0,
            "devicesWithCertificateEnrollments": 0
        },
        "remoteAccessVpn": {
            "connectionProfilesWithFallbackToLocal": 0,
            "connectionProfilesWithLocalAuthentication": 0,
            "connectionProfilesWithOverriddenSAMLIDPCertificate": 0,
            "connectionProfilesWithRADIUS": 0,
            "connectionProfilesWithRealm": 0,
            "connectionProfilesWithSAML": 0,
            "connectionProfilesWithWebAuthNEnabled": 0,
            "devicesConfiguredWithRAVPN": 0,
            "devicesEnabledWithLoadBalancing": 0,
            "dynamicAccessPolicies": 0,
            "dynamicAccessPolicyRecords": 0,
            "ravpnConnectionProfiles": 0,
            "ravpnPolicies": 0,
            "ravpnPoliciesWithIKEv2": 0,
            "ravpnPoliciesWithSSL": 0,
            "ravpnPoliciesWithServiceAccessObjectConfigured": 0
        },
        "siteToSiteVpn": {
            "devicesConfiguredWithS2SVpn": 0,
            "s2sIKEv1VpnWithCertificateAuthentication": 0,
            "s2sIKEv2VpnWithCertificateAuthentication": 0,
            "s2sVpnExtranetEndpoints": 0,
            "s2sVpnFullMeshTopologies": 0,
            "s2sVpnHubAndSpokeTopologies": 0,
            "s2sVpnIKEv1Topologies": 0,
            "s2sVpnIKEv2Topologies": 0,
            "s2sVpnPointToPointTopologies": 0,
            "s2sVpnVTITopologies": 0
        },
        "sdwanVpn": {
            "sdwanTopologies": 0,
            "uniqueSdwanHubs": 0,
            "uniqueSdwanSpokes": 0,
            "sdwanDualHubDiffAs": 0,
            "sdwanWithBGPEnabled": 0,
            "sdwanWithBGPDisabled": 0,
            "sdwanWithRedistConnectedEnabled": 0,
            "sdwanWithRedistConnectedDisabled": 0
        }
    },
    "fmc_healthmon": {
        "fmc": {
            "stats": {
                "maxCustomDashboardsCreatedBySingleUser": 0,
                "numUsersCreatedDashboard": 0
            }
        },
        "ftd": {
            "stats": {
                "maxCustomDashboardsCreatedBySingleUser": 0,
                "numUsersCreatedDashboard": 0
            }
        }
    },
    "identityUsage": {
        "accessControlPolicyStats": {
            "accessRules": 1,
            "numberOfAccessPolicies": 1,
            "numberOfUniqueRealmReference": 0,
            "numberOfUniqueUserGroupReference": 0,
            "numberOfUniqueUserReference": 0,
            "rulesWithABP": 0,
            "rulesWithSGT": 0,
            "rulesWithUserGroupReference": 0,
            "rulesWithUserReference": 0
        },
        "identityPolicyStats": {
            "activeRules": 0,
            "identityPolicies": 1,
            "noAuthRules": 0,
            "numberOfIdentityPolicywithPerSiteAuthSetting": 0,
            "numberOfUniqueRealmSequences": 0,
            "numberOfUniqueRealms": 1,
            "activeRulesCountWithRealmSequences": 0,
            "passiveRules": 1
        },
        "identitySource": {
            "isISEConfigured": 0,
            "isSXPEnabled": 0,
            "isSessionDirectoryEnabled": 0
        },
        "proxy": {
            "devicesUsedAsProxy": 0,
            "devicesUsedForISEProxy": 0,
            "devicesUsedForRealmProxy": {
                "max": 0,
                "min": 0,
                "total": 0
            },
            "proxySequences": 0,
            "realmsWithProxy": 0,
            "standAloneProxyDevices": 0
        },
        "realmStats": {
            "ADRealms": 1,
            "LDAPDirectories": 1,
            "LDAPRealms": 0,
            "LDAPsDirectories": 0,
            "localRealms": 0,
            "realmSequences": 0
        }
    },
    "managedClusters": {
        "totalClusterCount": 0
    },
    "mariaDBData": {
        "DBConnection_count": [],
        "Db_file_system_size": [
            {
                "location": "/var/lib/mysql/cfgdb",
                "value": "2.0G"
            },
            {
                "location": "/var/lib/mysql/sfsnort",
                "value": "295M"
            },
            {
                "location": "/var/lib/mysql",
                "value": "5.1G"
            }
        ],
        "Db_index_size": {
            "Total_Db_size": "520.9M",
            "cfgdb": "431.3M",
            "sfsnort": "89.5M"
        },
        "Db_size": {
            "Total_Db_size": "1402.6M",
            "cfgdb": "1289.6M",
            "sfsnort": "112.9M"
        },
        "Global_status_CLI": "EMPTY",
        "MariaDb_CPU_stats": [
            {
                "timestamp": "1669746257",
                "value": "0.6633333333333331"
            },
            {
                "timestamp": "1669749857",
                "value": "0.7"
            },
            {
                "timestamp": "1669753457",
                "value": "0.7"
            },
            {
                "timestamp": "1669757057",
                "value": "0.7"
            },
            {
                "timestamp": "1669760657",
                "value": "0.7"
            },
            {
                "timestamp": "1669764257",
                "value": "0.7"
            },
            {
                "timestamp": "1669767857",
                "value": "0.7"
            },
            
        ],
        "MariaDb_memory_stats": [
            {
                "timestamp": "1669746257",
                "value": "1135789875.1999998"
            },
            {
                "timestamp": "1669749857",
                "value": "1139567752.5333333"
            },
            {
                "timestamp": "1669753457",
                "value": "1154918331.7333333"
            },
            {
                "timestamp": "1669757057",
                "value": "1156227072"
            },
            {
                "timestamp": "1669760657",
                "value": "1156227072"
            },
            {
                "timestamp": "1669764257",
                "value": "1156232874.6666665"
            },
            {
                "timestamp": "1669767857",
                "value": "1156243456"
            },
            {
                "timestamp": "1669800257",
                "value": "1387066163.1999998"
            },
            
        ],
        "Slow_query_data": [
            {
                "query": "SELECT uuid,revision,type FROM EORevisionStore",
                "query_exec_count": "2",
                "query_time": "71.93s (143s)",
                "rows_affected": "0.0 (0)",
                "rows_examined": "63075.5 (126151)"
            },
            {
                "query": "SELECT uuid FROM rule_opts  order by uuid",
                "query_exec_count": "2",
                "query_time": "42.18s (84s)",
                "rows_affected": "0.0 (0)",
                "rows_examined": "978411.0 (1956822)"
            },
            {
                "query": "UPDATE rule_header set performance='S' WHERE  uuid IN ( 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S', 'S' )",
                "query_exec_count": "1",
                "query_time": "34.09s (34s)",
                "rows_affected": "19627.0 (19627)",
                "rows_examined": "58643.0 (58643)"
            },
            {
                "query": "select count(*) from rule_opts",
                "query_exec_count": "2",
                "query_time": "26.58s (53s)",
                "rows_affected": "0.0 (0)",
                "rows_examined": "978411.0 (1956822)"
            },
            {
                "query": "SELECT  rule_opts.sid,  rule_opts.gid FROM rule_opts LEFT JOIN rule_header  ON  rule_opts.sid = rule_header.sid AND  rule_opts.gid = rule_header.gid WHERE ( rule_header.sid  IS NULL  OR  rule_header.gid  IS NULL )",
                "query_exec_count": "2",
                "query_time": "25.58s (51s)",
                "rows_affected": "0.0 (0)",
                "rows_examined": "1956822.0 (3913644)"
            },
            {
                "query": "SELECT *, unix_timestamp(now()) - time_of_last_ping as ping_delta, HEX(domain_uuid) as domain_uuid FROM sensor WHERE id = 'S'",
                "query_exec_count": "1",
                "query_time": "19.28s (19s)",
                "rows_affected": "0.0 (0)",
                "rows_examined": "1.0 (1)"
            }
        ],
        "Top_ten_table_by_size": {
            "cfgdb": [
                {
                    "row_count": 953876,
                    "size": "464.98M",
                    "table_name": "rule_opts"
                },
                {
                    "row_count": 59190,
                    "size": "346.52M",
                    "table_name": "eorevisionstore"
                },
                {
                    "row_count": 47033,
                    "size": "252.61M",
                    "table_name": "eostore"
                },
                
            ],
            "sfsnort": [
                {
                    "row_count": 60905,
                    "size": "27.70M",
                    "table_name": "ids_event_msg_map"
                },
                {
                    "row_count": 568181,
                    "size": "25.43M",
                    "table_name": "rna_vuln_software"
                },
                {
                    "row_count": 464576,
                    "size": "17.87M",
                    "table_name": "geolocation_ipv4_country"
                },
                {
                    "row_count": 12933,
                    "size": "17.59M",
                    "table_name": "rna_vuln"
                },
                
                {
                    "row_count": 95676,
                    "size": "13.06M",
                    "table_name": "rna_fp_vuln_map"
                },
                {
                    "row_count": 116193,
                    "size": "11.49M",
                    "table_name": "rna_software_list"
                },
                {
                    "row_count": 32934,
                    "size": "5.55M",
                    "table_name": "vendor_mac_list"
                }
            ]
        },
        "binlog_size": "2.6G"
    },
    "fmcHaData": {
        "HA_Degraded_Message": " Both Management Centers are configured to run in standalone mode , No synchronization task running between high availability management centers",
        "HA_Enabled": "yes",
        "HA_Status": "Degraded",
        "MariaDB_Replication": {
            "Last_Errno": "0",
            "Last_Error": "",
            "Replication_error_msg": "error reconnecting to master 'repl_user@127.0.0.2:3306' - retry-time: 60  maximum-retries: 100000  message: Can't connect to server on '127.0.0.2' (111 \"Connection refused\")",
            "Replication_status": "fail"
        },
        "Periodic_Sync_Info": {
            "CA_Size": "0.00 MB",
            "LSP_Size": "599.27 MB",
            "Last_Sync": "HA synchronization time :   This DC is Inactive: "
        }
    },
    "talosAgent": {
        "urldb": {
            "last_operation_time": 1700462065,
            "last_operation_status": "Success",
            "last_status_change": 1700462065,
            "last_operation_message": "Update succeeded",
            "total_requests_sent": 42,
            "successful_requests_processed": 42
        },
        "taxonomy": {
            "last_operation_time": 1700472366,
            "last_operation_status": "Success",
            "last_status_change": 1700462065,
            "last_operation_message": "querying map successful",
            "total_requests_sent": 1,
            "successful_requests_processed": 1
        },
        "enrichment": {
            "last_operation_time": 1700237386,
            "last_operation_type": "ip",
            "last_operation_status": "Success",
            "last_status_change": 1700462065,
            "last_operation_message": "querying ip successful",
            "total_requests_sent": 2,
            "successful_requests_processed": 2
        },
        "talos_agent": {
            "last_operation_time": 1700237644,
            "last_operation_status": "Success",
            "last_status_change": 1700462065,
            "last_operation_message": "dumping health file periodically",
            "total_requests_sent": 786,
            "successful_requests_processed": 786
        }
    },
    "chassisData": {
        "chassisList": [
            {
                "chassisModel": "Cisco Secure Firewall 4215 Threat Defense Multi-Instance Supervisor",
                "chassisName": "192.168.1.46",
                "chassisOsVersion": "7.7.0",
                "chassisSerialNumber": "FJZ26281MKB",
                "coresUtilized": 0,
                "faultsList": [
                    {
                        "cause": "link-down",
                        "code": "F1150",
                        "description": "ether port 1/1 on fabric interconnect A oper state: link-down, reason: Down",
                        "highestSeverity": "minor",
                        "isAcknowledged": "no",
                        "occurrence": "1",
                        "severity": "minor"
                    }
                ],
                "instanceList": [],
                "totalCoresAvailable": 62,
                "totalFaults": 1,
                "totalInstanceCount": 0,
                "totalInterfacesCount": 10
            },
            {
                "chassisModel": "Cisco Secure Firewall 4215 Threat Defense Multi-Instance Supervisor",
                "chassisName": "192.168.1.63",
                "chassisOsVersion": "7.7.0",
                "chassisSerialNumber": "FJZ26281MKB",
                "coresUtilized": 6,
                "faultsList": [
                    {
                        "cause": "link-down",
                        "code": "F1150",
                        "description": "ether port 1/1 on fabric interconnect A oper state: link-down, reason: Down",
                        "highestSeverity": "minor",
                        "isAcknowledged": "no",
                        "occurrence": "1",
                        "severity": "minor"
                    }
                ],
                "instanceList": [
                    {
                        "firewallMode": "routed",
                        "instanceVersion": "7.7.0.1390",
                        "resourceProfileCoresUsed": 6
                    }
                ],
                "totalCoresAvailable": 62,
                "totalFaults": 1,
                "totalInstanceCount": 1,
                "totalInterfacesCount": 10
            }
        ],
        "totalChassisCount": 2
    }
}

History for Cisco Success Network Telemetry

Feature

Minimum Management Center

Minimum Threat Defense

Details

Collects EVE exception rules containing source context

7.7.0

Any

Cisco collects the count of EVE exception rules containing the source context.

Collects additional upgrade status telemetry data.

7.6.0

Any

Cisco collects additional information about threat defense upgrade failures to analyze and improve the upgrade experience. The upgrade status telemetry now includes the complete log and execution time for the failed script.

Cisco Security Cloud telemetry improvements.

7.6.0

Any

Cisco collects telemetry data on whether Cisco Security Cloud integration and the cloud services are enabled in the management center.

Encrypted Visibility Engine exception rule statistics 7.6.0 Any Cisco collects telemetry data related to the encrypted visibility engine exception rule statistics.

Email address of the admin user.

7.6.0

Any

Cisco collects the email address of the management center admin user, if provided by the user. Cisco uses the email address for sales and product renewal conversations, new release adoption newsletters, and for sharing other product-related communications.

Management Center Virtual and threat defense virtual instance telemetry data.

7.6.0

Threat Defense Virtual

Cisco collects metrics specific to the management center virtual and threat defense virtual instances to understand the cloud usage trends.

Report usage telemetry.

7.6.0

Any

Cisco collects report usage statistics including custom report templates, scheduled tasks, and report generation frequency, to understand usage of themanagement center's report capabilities.

Umbrella DNS policy telemetry.

7.6.0

Any

Cisco collects information about the Umbrella connector, including the status and the type of Umbrella DNS policy used.

Device interface telemetry.

7.6.0

Any

Cisco collects information about the mode of device deployment, device interface modes, and the type of interfaces.

SD-WAN VPN topology configuration telemetry.

7.6.0

Any

Cisco collects information about the SD-WAN VPN topology configurations.

Change managemet workflow telemetry.

7.4.1

Any

ZTNA telemetry data exports from LINA and Snort inspection engines.

7.4.1

Any

Cisco collects ZTNA telemetry data from both LINA and Snort inspection engines.

  • LINA exports ZTNA telemetry data such as Active Users, Total Applications, Number of SAML requests/response failed, Latency, and more.

  • Snort exports important ZTNA telemetry data such as Total HTTP flows received, Total cookie/username messages received, cookie invalid authorization failures, and more.

EVE telemetry across different Threat and Process confidence levels and Protocols.

7.4.1

Any

Cisco collects EVE customer telemetry across different Threat and Process confidence levels and Protocols.