The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The following topics contain information on configuring remediations:
Any
Any
Admin
Discovery Admin
A remediation is a program that the Firepower System launches in response to a correlation policy violation.
When a remediation runs, the system generates a remediation status event. Remediation status events include details such as the remediation name, the correlation policy and rule that triggered it, and the exit status message.
The system supports several remediation modules:
Cisco ISE Endpoint Protection Services (EPS) — quarantines, unquarantines, or shuts down traffic sent to a host or network involved in a correlation policy violation
Cisco IOS Null Route — blocks traffic sent to a host or network involved in a correlation policy violation (requires Cisco IOS Version 12.0 or higher)
Nmap Scanning — scans hosts to determine running operating systems and servers
Set Attribute Value — sets a host attribute on a host involved in a correlation policy violation
 Tip |
You can install custom modules that perform other tasks; see the Firepower System Remediation API Guide. |
To implement a remediation, first create at least one instance for the module you choose. You can create multiple instances per module, where each instance is configured differently. For example, to communicate with multiple routers using the Cisco IOS Null Route remediation module, configure multiples instances of that module.
You can then add multiple remediations to each instance that describe the actions you want to perform when a policy is violated.
Finally, associate remediations with rules in correlation policies, so that the system launches the remediations in response to correlation policy violations.
In a multidomain deployment, you can install custom remediation modules at any domain level. The system-provided modules belong to the Global domain.
Though you cannot add a remediation to an instance created in an ancestor domain, you can create a similarly configured instance in the current domain and add remediations to that instance. You can also use remediations created in ancestor domains as correlation responses.
If you have Endpoint Protection Service (EPS) enabled and configured in your ISE deployment, you can configure your Firepower Management Center to launch remediations using ISE. When fully configured, ISE EPS remediations run the following Mitigation Actions on the source or destination host involved in a correlation policy violation:
quarantine—Limits or denies an endpoint's access the network
unquarantine—Reverses an endpoint's quarantine status and allows full access to the network
shutdown—Deactivates an endpoint's network attached system (NAS) port to disconnect it from the network
You can also exempt specific IP addresses from ISE EPS remediation.
 Note |
Your ISE version and configuration impact how you can use ISE in the Firepower System. For example, you cannot use ISE-PIC to perform ISE EPS remediations. For more information, see The ISE/ISE-PIC Identity Source for more information. |
For more information about ISE EPS actions, see the Cisco Identity Services Engine User Guide.
You can respond to correlation policy violations by running ISE EPS remediations on the source or destination host.
Note |
ISE-PIC cannot perform ISE EPS remediations. |
Configure EPS operations on your ISE server.
Configure a connection to ISE as described in Configure ISE/ISE-PIC for User Control.
|
Step 1 |
Choose . |
|
Step 2 |
Add a pxGrid mitigation instance as described in Adding an ISE EPS Instance. |
|
Step 3 |
Add one or more ISE EPS remediations as described in Adding ISE EPS Remediations. |
Assign remediations as responses to correlation policy violations as described in Adding Responses to Rules and White Lists.
Create ISE EPS instances to group individual remediations by logging type.
|
Step 1 |
Choose . |
|
Step 2 |
From the Add a New Instance list, choose pxGrid Mitigation(v1.0) as the module type and click Add. |
|
Step 3 |
Enter an Instance Name and Description. |
|
Step 4 |
Set Enable Logging option to enable or disable system logging. |
|
Step 5 |
Click Create. |
Create an ISE EPS remediation as described in Adding Set Attribute Value Remediations.
Create one or more ISE EPS remediations within an instance to run Mitigation Actions on the source or destination host involved in a correlation policy violation.
In a multidomain deployment, you cannot add a remediation to an instance created in an ancestor domain.
Create an ISE EPS instance as described in Adding an ISE EPS Instance.
|
Step 1 |
Choose . |
|
Step 2 |
Next to the instance where you want to add the remediation, click View ( |
|
Step 3 |
In the Configured Remediations section, choose the Mitigate Destination or Mitigate Source and click Add. If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. |
|
Step 4 |
Enter a Remediation Name and Description. |
|
Step 5 |
Choose a Mitigation Action: quarantine, unquarantine, or shutdown. |
|
Step 6 |
(Optional) To exempt IP addresses or ranges from remediation, enter them into the Whitelist box. |
|
Step 7 |
Click Create, then click Done. |
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
The Cisco IOS Null Route remediation module allows you to block an IP address or range of addresses using Cisco’s “null route” command. This drops all traffic sent to a host or network by routing it to the router’s NULL interface. This does not block traffic sent from the violating host or network.
Note |
Do not use a destination-based remediation as a response to a correlation rule that is based on a discovery or host input event. These events are associated with source hosts. |
 Caution |
When a Cisco IOS remediation is activated, there is no timeout period. To unblock the IP address or network, you must manually clear the routing change from the router. |
Note |
Do not use a destination-based remediation as a response to a correlation rule that is based on a discovery or host input event. These events are associated with source hosts. |
Caution |
When a Cisco IOS remediation is activated, there is no timeout period. To unblock the IP address or network, you must manually clear the routing change from the router. |
Confirm that your Cisco router is running Cisco IOS 12.0 or higher.
Confirm that you have level 15 administrative access to the router.
|
Step 1 |
Enable Telnet on the Cisco router as described in the documentation provided with your Cisco router or IOS software. |
|
Step 2 |
On the Firepower Management Center, add a Cisco IOS Null Route instance for each Cisco IOS router you plan to use; see Adding a Cisco IOS Instance. |
|
Step 3 |
Create remediations for each instance, based on the type of response you want to elicit on the router when correlation policies are violated: |
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
If you have multiple routers where you want to send remediations, create a separate instance for each router.
Configure Telnet access on the Cisco IOS router as described in the documentation provided with the router or IOS software.
|
Step 1 |
Choose . |
||
|
Step 2 |
From the Add a New Instance list, choose Cisco IOS Null Route and click Add. |
||
|
Step 3 |
Enter an Instance Name and Description. |
||
|
Step 4 |
In the Router IP field, enter the IP address of the Cisco IOS router you want to use for the remediation. |
||
|
Step 5 |
In the Username field, enter the Telnet user name for the router. This user must have level 15 administrative access on the router. |
||
|
Step 6 |
In the Connection Password fields, enter the Telnet user’s user password. |
||
|
Step 7 |
In the Enable Password fields, enter the Telnet user’s enable password. This is the password used to enter privileged mode on the router. |
||
|
Step 8 |
In the White List field, enter IP addresses or ranges that you want to exempt from the remediation, one per line.
|
||
|
Step 9 |
Click Create. |
Add specific remediations to be used by correlation policies as described in Adding Cisco IOS Block Destination Remediations, Adding Cisco IOS Block Destination Network Remediations, Adding Cisco IOS Block Source Remediations, and Adding Cisco IOS Block Source Network Remediations.
The Cisco IOS Block Destination remediation blocks traffic sent from the router to the destination host involved in a correlation policy violation. Do not use this remediation as a response to a correlation rule that is based on a discovery or host input event. These events are associated with source hosts.
In a multidomain deployment, you cannot add a remediation to an instance created in an ancestor domain.
Add a Cisco IOS instance as described in Adding a Cisco IOS Instance.
|
Step 1 |
Choose . |
|
Step 2 |
Next to the instance where you want to add the remediation, click View ( |
|
Step 3 |
In the Configured Remediations section, choose Block Destination and click Add. If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. |
|
Step 4 |
Enter a Remediation Name and Description. |
|
Step 5 |
Click Create, then click Done. |
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
The Cisco IOS Block Destination Network remediation blocks traffic sent from the router to the network of the destination host involved in a correlation policy violation. Do not use this remediation as a response to a correlation rule that is based on a discovery or host input event. These events are associated with source hosts.
In a multidomain deployment, you cannot add a remediation to an instance created in an ancestor domain.
Add a Cisco IOS instance as described in Adding a Cisco IOS Instance.
|
Step 1 |
Choose . |
|
Step 2 |
Next to the instance where you want to add the remediation, click View ( |
|
Step 3 |
In the Configured Remediations section, choose Block Destination Network and click Add. If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. |
|
Step 4 |
Enter a Remediation Name and Description. |
|
Step 5 |
In the Netmask field, enter the subnet mask or use CIDR notation to describe the network that you want to block traffic to. For example,
to block traffic to an entire Class C network when a single host triggered a
rule (this is not recommended), use
As another
example, to block traffic to 30 addresses that include the triggering IP
address, specify
|
|
Step 6 |
Click Create, then click Done. |
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
The Cisco IOS Block Source remediation blocks traffic sent from the router to the source host involved in a correlation policy violation.
In a multidomain deployment, you cannot add a remediation to an instance created in an ancestor domain.
Add a Cisco IOS instance as described in Adding a Cisco IOS Instance.
|
Step 1 |
Choose . |
|
Step 2 |
Next to the instance where you want to add the remediation, click View ( |
|
Step 3 |
In the Configured Remediations section, choose Block Source and click Add. If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. |
|
Step 4 |
Enter a Remediation Name and Description. |
|
Step 5 |
Click Create, then click Done. |
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
The Cisco IOS Block Source Network remediation blocks traffic sent from the router to the network of the source host involved in a correlation policy violation.
In a multidomain deployment, you cannot add a remediation to an instance created in an ancestor domain.
Add a Cisco IOS instance as described in Adding a Cisco IOS Instance.
|
Step 1 |
Choose . |
|
Step 2 |
Next to the instance where you want to add the remediation, click View ( |
|
Step 3 |
In the Configured Remediations section, choose Block Source Network and click Add. If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. |
|
Step 4 |
Enter a Remediation Name and Description. |
|
Step 5 |
In the Netmask field, enter the subnet mask or CIDR notation that describes the network that you want to block traffic to. For example,
to block traffic to an entire Class C network when a single host triggered a
rule (this is not recommended), use
As another
example, to block traffic to 30 addresses that include the triggering IP
address, specify
|
|
Step 6 |
Click Create, then click Done. |
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
The Firepower System integrates with Nmap™, an open source active scanner for network exploration and security auditing. You can respond to a correlation policy violation using an Nmap remediation, which triggers an Nmap scan remediation.
For more information about Nmap scanning, see Nmap Scanning.
You can respond to a correlation policy violation by setting a host attribute value on the host where the triggering event occurred. For text host attributes, you can use the description from the event as the attribute value.
|
Step 1 |
Choose . |
|
Step 2 |
Create a set attribute instance as described in Adding a Set Attribute Value Instance. |
|
Step 3 |
Add a set attribute remediation as described in Adding Set Attribute Value Remediations. |
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
|
Step 1 |
Choose . |
|
Step 2 |
From the Add a New Instance list, choose Set Attribute Value and click Add. |
|
Step 3 |
Enter an Instance Name and Description. |
|
Step 4 |
Click Create. |
Create a set attribute remediation as described in Adding Set Attribute Value Remediations.
The Set Attribute Value remediation sets a host attribute on a host involved in a correlation policy violation. Create a remediation for each attribute value you want set. For text attributes, you can use the description from the triggering event as the attribute value.
In a multidomain deployment, you cannot add a remediation to an instance created in an ancestor domain.
Create a set attribute instance as described in Adding a Set Attribute Value Instance.
|
Step 1 |
Choose . |
|
Step 2 |
Next to the instance where you want to add the remediation, click View ( |
|
Step 3 |
In the Configured Remediations section, choose Set Attribute Value and click Add. If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. |
|
Step 4 |
Enter a Remediation Name and Description. |
|
Step 5 |
To use this remediation in response to an event with source and destination data, choose an Update Which Host(s) From Event option. |
|
Step 6 |
For text attributes, specify whether you want to Use Description From Event For Attribute Value:
|
|
Step 7 |
Click Create, then click Done. |
Assign remediations as responses to correlation policy violations; see Adding Responses to Rules and White Lists.
In a multidomain deployment, the system displays remediation modules installed in the current domain, which you can delete. It also displays modules installed in ancestor domains, which you cannot delete. To manage remediation modules in a lower domain, switch to that domain.
|
Step 1 |
Choose . |
|
Step 2 |
Manage your remediation modules:
|
The Instances page lists all configured instances for all remediation modules.
In a multidomain deployment, the system displays remediation instances created in the current domain, which you can edit. It also displays instances created in ancestor domains, which you cannot edit. To manage remediation instances in a lower domain, switch to that domain.
Though you cannot add a remediation to an instance created in an ancestor domain, you can create a similarly configured instance in the current domain and add remediations to that instance. You can also use remediations created in ancestor domains as correlation responses.
|
Step 1 |
Choose . |
|
Step 2 |
Manage your remediation instances:
|
The Module Detail page displays all of the instances and remediations configured for a particular remediation module.
In a multidomain deployment, you can access the Module Detail page for remediation modules installed in the current domain and in ancestor domains. However, you cannot use the Module Detail page to add, delete, or edit instances in the current domain for a module installed in an ancestor domain. Instead, use the Instances page ( ); see Managing Remediation Instances .
|
Step 1 |
Choose . |
|
Step 2 |
Next to the remediation module whose instances you want to manage, click View ( |
|
Step 3 |
Manage your remediation instances:
|
)
)
Feedback