Introduction to AIOps Insights

About AIOps Insights

Firewalls are a critical component of any organization's network security architecture. However, as organizations expand and the threat landscape evolves, managing these firewalls becomes complex. Staying updated with the continuous changes and rules to adapt to new threats, network changes, and compliance requirements presents significant challenges. Improper management can lead to security gaps and vulnerabilities, posing risks to an organization's network security.

To effectively address these challenges, a new approach to firewall management is required. This is where AIOps becomes essential.

AIOps for firewalls leverages artificial intelligence (AI) and machine learning (ML) to streamline and enhance the management and security of network firewalls. By using dynamic baselines and advanced forecasting models, AIOps can detect policy anomalies and predict potential issues before they escalate, ensuring proactive maintenance and stability.


Note

Currently, the AIOps features are available only for threat defense devices that are managed by cloud-delivered Firewall Management Center.

AIOps' key functionalities include:

  • Real-Time Traffic and Capacity Monitoring: Monitors network traffic and system capacity in real-time, and detects anomalies such as elephant flows, ensuring that resources are optimized for peak performance.

  • Policy Anomaly Detection: Analyzes firewall policies, and detects misconfigurations or anomalies before they impact performance or security.

  • Feature Adoption Insights and Best Practice Recommendations: Provides insights into the level of feature adoption and suggests best practices to optimize security configurations.

  • Predictive Forecasting for Network Issues: Predicts potential future network issues, allowing you to address them proactively and minimize downtime.

  • Critical Alerts: Filters and prioritizes the most urgent security events helping you focus on critical issues.

AIOps' key features include:

  • Summary Insights: Provides detailed information on all insights and insights trend. You can view a list of all the anomalies that are categorized by Severity and Type.

  • Policy Analyzer and Optimizer: Analyzes security policies, detects anomalies, and provides recommendations on remediations that can be performed to optimize the policies, thereby improving the firewall performance.

  • Feature Adoption: Provides insights into the features that are adopted and the percentage of adoption to modify the usage pattern and achieve optimal security. By analyzing the adoption rate of different features, you can take decisions on how to improve the usage pattern and enhance security measures.

  • Configuration Settings: Provides the ability to configure thresholds for AIOps features and enable or disable insight preferences. You can customize these settings to suit your specific needs.

AIOps Licensing Requirements

If you have licenses for the Secure Firewall Management Center, you can access AIOps by enabling AIOps Insights in your tenant. The initial version of AIOps is included as part of your firewall license and is granted on a per-device basis.

Prerequisites to Use AIOps

  • Ensure that you have access to a Security Cloud Control tenant where AIOps Insights is enabled and cloud-delivered Firewall Management Center is provisioned.

  • Ensure that you have configured the thresholds and preferences for the AIOps features.

  • You must have Super Admin or Admin user roles to enable AIOps Insights in your tenant.

Enable AIOps Insights

To take advantage of AIOps' benefits, you must enable AIOps Insights. You must have Super Admin or Admin user roles to enable AIOps Insights in your tenant.

Procedure

Step 1

In the home page, click Start Onboarding.

Step 2

In the AIOps Insights for Cisco Firewall window, click Setup.

Step 3

In the Setup AIOps page, check the Confirm AlOps activation check box.

Step 4

Click Get Started.

The onboarding process begins, and it takes a few minutes to fetch the data that is required to provide the insights. When completed, the AIOps > Summary page is displayed.

View Summary Insights

The AIOps Summary page provides detailed information about all Active insights, including a categorized list of detected anomalies.

Procedure

Step 1

In the left pane, click Insights & Reports > Summary.

Step 2

View the total number of Active Insights.

Insights are classified by:

  • Severity: Insights are classified by their severity levels such as Critical, Warning, and Informational.

  • Category: Insights are classified by their categories such as Configuration, Traffic & Capacity, Health & Operations.

Categories

Subcategories

Configuration

Access control policy anomaly detection

Traffic & Capacity

  • Elephant flow detection

  • RA VPN capacity assessment

Health & Operations

  • High data plane CPU usage

  • Snort high CPU usage

  • High data plane memory usage

  • Snort high memory usage

Step 3

Insights Trend displays a timeline indicating the trend of insights over a specific duration of time. You can set the duration to 1, 6, 12, or 24 hours, and 2 or 7 days. The default view is set to 24 hours.

Step 4

In the All Insights section, details of each insight are displayed, such as:

  • Time: Time at which the insight was detected or updated.

  • Severity: Severity of the insight such as Critical, Warning, and Informational.

  • Insight: Insight title and a short summary about the issue.

  • Category: Insight category such as Health & Operations, Traffic & Capacity, and Configuration.

  • Impacted Resources: Impacted resource for the insights, which can be a device, host, or policy. Currently, only threat defense devices and Management Centers are supported.

  • Duration: Duration of the issue from the time it was first detected until it was resolved.

  • Status: Status of the insight such as Active or Resolved.

Step 5

You can filter insights by factors such as Time Range, Severity, Category, Impacted Resources, Duration, and Status.

Step 6

Click the gear icon to select which columns to display in the All Insights table.

Figure 1. View Summary Insights

Assess and Improve Feature Adoption

Feature Adoption provides insights into the features that are adopted and the percentage of adoption. This information helps you modify your usage patterns to achieve optimal security. By analyzing the adoption rate of different features, you can take the right decisions to enhance your organization's security measures.

Procedure

Step 1

In the left pane, click Insights & Reports > Feature Adoption.

  • In the Summary tile, you can view the total number of features available, including how many are Not Adopted, Partially Adopted, and Adopted.

  • In the Feature Adoption section, you can view the percentage of adoption of a particular feature . The feature adoption rate can vary between 0% and 100% depending on the usage.

  • In the Feature Recommendation tile, you can watch short videos about recommended features that will help enhance your organization’s security.

Note

 

  • The feature adoption data is refreshed every 24 hours.

  • We recommend that you increase the usage of these features to improve overall security.

Step 2

Click a feature name to view more details, such as:

  • A short description of the feature

  • Feature adoption rate

  • Steps to improve your feature adoption rate efficiency

Figure 2. Feature Adoption

Enable or Disable Insight Preferences and Configure Threshold Settings

You can enable or disable insight preferences for your tenant and configure thresholds for the following AIOps features:

Traffic and Capacity Insights

You can modify the preferences for traffic and capacity-related insights.


Note

  • The settings for Elephant Flow Detection and RAVPN Capacity Assessment are enabled by default.

  • The RA VPN Capacity Assessment runs every 24 hours, with changes applied in the subsequent assessment cycle.

Procedure

Step 1

In the left pane, click Insights & Reports > Settings > Traffic & Capacity.

Step 2

Enable the High Traffic Caused by Elephant Flow toggle to detect the elephant flows that transfer large amounts of data and lead to system performance issues.

  1. Choose the Insight Severity from the drop-down.

  2. Click Submit.

For more information, see Elephant Flow Detection.

Step 3

Enable the RAVPN Capacity Assessment toggle to forecast the trajectory of RA VPN user sessions using the current data, and determine the anticipated time until maximum system capacity is reached.

  1. Choose a value from the Accuracy drop-down list. . This determines the accuracy of the forecast based on the Root Mean Squared Error (RMSE) value.

  2. Enter the Max Session Threshold value:

    • The default value is 90%.

    • The minimum value is 1%, and the maximum value is 100%.

  3. Enter the Forecast Duration in Days:

    • The default duration is 90 days.

    • The minimum duration is 1 day, and the maximum duration is 90 days.

  4. Click Submit.

For more information, see Remote Access VPN.

After you enable the features for the tenant, you can view the detected anomalies in the Summary page, and the respective widgets are displayed on the dashboard.

Feature Adoption Insights

You can modify the preferences for Feature Adoption-related insights.


Note

The setting for Feature Adoption is enabled by default.

Procedure

Step 1

In the left pane, click Insights & Reports > Settings > Feature Adoption.

Step 2

Enable the Feature Adoption toggle to gain insights into feature adoption and the percentage of adoption.

Step 3

Click Submit.

After you enable the feature for your tenant, you can view the detected anomalies in the Summary page, and the respective widget is displayed on the dashboard.

Health and Operations Insights

You can modify your preferences for Health and Operations-related insights.


Note

The settings for Health & Operations are enabled by default.

Procedure

Step 1

In the left pane, click Insights & Reports > Settings > Health.

You can enable the following health-related insights:

Step 2

Enable the Data Plane High CPU Usage toggle button to monitor data plane CPU usage and detect when thresholds are exceeded.

  1. Enter the CPU Threshold value:

    • The default value is 80%.

    • The minimum value is 0% and the maximum value is 100%.

  2. Choose a value from the Insight Severity drop-down list.

Step 3

Enable the Snort High CPU Usage toggle button to monitor Snort CPU usage and detect when thresholds are exceeded.

  1. Enter the CPU Threshold value:

    • The default value is 80%.

    • The minimum value is 0% and the maximum value is 100%.

  2. Choose a value from the Insight Severity drop-down list.

Step 4

Enable the Data Plane High Memory Usage toggle button to monitor data plane memory usage and detect when thresholds are exceeded.

  1. Enter the Memory Threshold value:

    • The default value is 80%.

    • The minimum value is 0% and the maximum value is 100%.

  2. Choose the Insight Severity from the drop-down.

Step 5

Enable the Snort High Memory Usage toggle button to monitor Snort memory usage and detect when thresholds are exceeded.

  1. Enter the Memory Threshold value:

    • The default value is 80%.

    • The minimum value is 0% and the maximum value is 100%.

  2. Choose a valur from the Insight Severity drop-down list.

Step 6

Click Submit.

After you enable the feature for the tenant, you can view the detected anomalies in the Summary page, and the respective widget is displayed on the dashboard.

Frequently Asked Questions About AIOps

What is AIOps?

AIOps for firewalls leverages artificial intelligence (AI) and machine learning (ML) to streamline and enhance the management and security of network firewalls. By using dynamic baselines and advanced forecasting models, AIOps can detect policy anomalies and predict potential issues before they escalate, ensuring proactive maintenance and stability.

Are AIOps features available for all types of FMC-managed threat defense devices?

AIOps features are available only for cloud-delivered Firewall Management Center-managed threat defense devices. Currently, there is no on-premises management center support.

Can enabling AIOps fail?

If an onboarding failure occurs, open a support ticket with Cisco Technical Assistance Center (TAC).

Can AIOps Insights be disabled?

Yes. Open a support ticket with Cisco Technical Assistance Center (TAC) to disable AIOps Insights.