FireSIGHT System User Guide Version 5.4.1

Understanding Health Policies

License: Any

A health policy is a collection of health module settings you apply to an appliance to define the criteria that the Defense Center uses when checking the health of the appliance. The health monitor tracks a variety of health indicators to ensure that your FireSIGHT System hardware and software are working correctly.

When you create health policies, you choose which tests to run to determine appliance health. You can also apply the default health policy to any appliance.

Understanding Health Modules

License: Any

Health modules, also sometimes referred to as health tests, are scripts that test for the criteria you specify in a health policy. The available health modules are described in the following table.

Understanding Health Monitoring Configuration

License: Any

There are several steps to setting up health monitoring on your FireSIGHT System, as indicated in the following procedure:

Step 1 Create health policies for your appliances.

You can set up specific policies for each kind of appliance you have in your FireSIGHT System, enabling only the appropriate tests for that appliance.

Tip If you want to quickly enable health monitoring without customizing the monitoring behavior, you can apply the default policy provided for that purpose.

For more information on setting up health policies, see Configuring Health Policies.

Step 2 Apply a health policy to each appliance where you want to track health status. For information on the default health policy available for immediate application, see Understanding the Default Health Policy.

Step 3 Optionally, configure health monitor alerts.

You can set up email, syslog, or SNMP alerts that trigger when the health status level reaches a particular severity level for specific health modules.

For more information on setting up health monitor alerts, see Configuring Health Monitor Alerts.

After you set up health monitoring on your system, you can view the health status at any time on the Health Monitor page or the Health Events table view. For more information about viewing system health data, see the following topics:

• Using the Health Monitor
• Using Appliance Health Monitors
• Working with Health Events

Understanding the Default Health Policy

License: Any

The Defense Center health monitor includes a default health policy to make it easier for you to quickly implement health monitoring for your appliances. The default health policy is automatically applied to the Defense Center. You cannot edit the default health policy, but you can copy it to create custom policies based on its configuration. For more information, see Creating Health Policies.

To also monitor device health, you can push health policies to your managed devices.

Note You cannot apply a health policy to Cisco NGIPS for Blue Coat X-Series.

In the default health policy, most of the health modules available on the running platform are automatically enabled. The following table details the modules activated in the default policy for Defense Centers and managed devices.

Creating Health Policies

License: Any

If you want to customize a health policy to use with your appliances, you can create a new policy. The settings in the policy initially populate with the settings from the health policy you select as a basis for the new policy. You can enable or disable modules within the policy and change the alerting criteria for each module as needed.

Tip Instead of creating a new policy, you can export a health policy from another Defense Center and then import it onto your Defense Center. You can then edit the imported policy to suit your needs before you apply it. For more information, see Importing and Exporting Configurations.

To create a health policy:

Access: Admin/Maint

Step 1 Select Health > Health Policy .

The Health Policy page appears.

Step 2 Click Create Policy .

The Create Health Policy page appears.

Step 3 Select the existing policy that you want to use as the basis for the new policy from the Copy Policy drop-down list .

Step 4 Enter a name for the policy.

Step 5 Enter a description for the policy.

Step 6 Select Save to save the policy information.

The Health Policy Configuration page appears, including a list of the modules.

Step 7 Configure settings on each module you want to use to test the health status of your appliances, as described in the following sections:

• Configuring Policy Run Time Intervals
• Configuring Advanced Malware Protection Monitoring
• Configuring Appliance Heartbeat Monitoring
• Configuring Automatic Application Bypass Monitoring
• Configuring CPU Usage Monitoring
• Configuring Card Reset Monitoring
• Configuring Disk Status Monitoring
• Configuring Disk Usage Monitoring
• Configuring FireAMP Status Monitoring
• Configuring FireSIGHT Host Usage Monitoring
• Configuring Hardware Alarm Monitoring
• Configuring Health Status Monitoring
• Configuring Inline Link Mismatch Alarm Monitoring
• Configuring Interface Status Monitoring
• Configuring Intrusion Event Rate Monitoring
• Understanding License Monitoring
• Configuring Link State Propagation Monitoring
• Configuring Memory Usage Monitoring
• Configuring Power Supply Monitoring
• Configuring Process Status Monitoring
• Configuring Reconfiguring Detection Monitoring
• Configuring RRD Server Process Monitoring
• Configuring Security Intelligence Monitoring
• Configuring Time Series Data Monitoring
• Configuring Time Synchronization Monitoring
• Configuring URL Filtering Monitoring
• Configuring User Agent Status Monitoring
• Configuring VPN Status Monitoring

Note Make sure you enable each module that you want to run to test the health status on each Health Policy Configuration page as you configure the settings. Disabled modules do not produce health status feedback, even if the policy that contains the module has been applied to an appliance.

Step 8 Click Save Policy and Exit to save the policy.

You must apply the policy to each appliance for it to take effect. For more information on applying health policies, see Applying Health Policies.

Configuring Policy Run Time Intervals

License: Any

You can control how often health tests run by modifying the Policy Run Time Interval for the health policy. The maximum run time interval you can set is 99999 minutes.

To configure a policy run time interval:

Access: Admin/Maint

Step 1 On the Health Policy Configuration page, select Policy Run Time Interval .

The Health Policy Configuration — Policy Run Time Interval page appears.

Step 2 In the Run Interval (mins) field, enter the time in minutes that you want to elapse between automatic repetitions of the test.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate appliances if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Advanced Malware Protection Monitoring

License: Malware

This module tracks the state and stability of the Defense Center’s ability to query the Cisco cloud and detect files in network traffic. If the system detects that your connection with the cloud is interrupted, the encryption keys used for the connection are invalid, or the number of files detected in a time frame is excessive, the status classification for this module changes to Warning and the module generates a health alert. Note that if you are using a FireAMP Private Cloud and it is unable to communicate with the public Cisco cloud, the private cloud itself generates an alert; for more information, see the FireAMP Private Cloud Administration Portal User Guide .

Note If your Defense Center loses connectivity to the Internet, the system may take up to 30 minutes to generate an Advanced Malware Protection health alert.

To configure Advanced Malware Protection health module settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select Advanced Malware Protection.

The Health Policy Configuration — Advanced Malware Protection page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate appliances if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Appliance Heartbeat Monitoring

License: Any

The Defense Center receives heartbeats from its managed devices once every two minutes or every 200 events, whichever comes first, as an indicator that the device is running and communicating properly with the Defense Center. Use the Appliance Heartbeat health status module to track whether the Defense Center receives heartbeats from managed appliances. If the Defense Center does not detect a heartbeat from a device, the status classification for this module changes to Critical. That status data feeds into the health monitor.

To configure Appliance Heartbeat health module settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select Appliance Heartbeat .

The Health Policy Configuration — Appliance Heartbeat page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate appliances if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Automatic Application Bypass Monitoring

License: Any

Use this module to detect when a managed device is bypassed because it did not respond within the number of seconds configured as the bypass threshold. If a bypass occurs, this module generates an alert. That status data feeds into the health monitor.

For more information on automatic application bypass, see Automatic Application Bypass.

To configure automatic application bypass monitoring status:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select Automatic Application Bypass Status .

The Health Policy Configuration — Automatic Application Bypass Status page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate managed device if you want your settings to take effect. See Applying Health Policies for more information.

Configuring CPU Usage Monitoring

License: Any

Supported Devices: Any except 3D9900

Supported Defense Centers: Any

Excessive CPU usage may indicate that you need to upgrade your hardware or that there are processes that are not functioning correctly. Use the CPU Usage health status module to set CPU usage limits.

If the CPU usage on the monitored appliance exceeds the Warning limit, the status classification for that module changes to Warning. If the CPU usage on the monitored appliance exceeds the Critical limit, the status classification for that module changes to Critical. That status data feeds into the health monitor.

The maximum percentage you can set for either limit is 100 percent, and the Critical limit must be higher than the Warning limit.

To configure CPU usage limits:

Access: Admin/Maint

Step 1 On the Health Policy Configuration page, select CPU Usage .

The Health Policy Configuration — CPU Usage page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 In the Critical Threshold % field, enter the percentage of CPU usage that should trigger a critical health status.

Step 4 In the Warning Threshold % field, enter the percentage of CPU usage that should trigger a warning health status.

Step 5 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate appliances if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Card Reset Monitoring

License: Any

Use the card reset monitoring health status module to track when the network card restarts because of hardware failure. If a reset occurs, this module generates an alert. That status data feeds into the health monitor.

To configure card reset monitoring:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select Card Reset .

The Health Policy Configuration — Card Reset Monitoring page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate Defense Center if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Disk Status Monitoring

License: Any

Use the Disk Status health module to monitor the current status of your appliance’s hard disk, and malware storage pack if installed. This module generates a Warning (yellow) health alert when the hard disk and RAID controller (if installed) are in danger of failing, or if an additional hard drive is installed that is not a malware storage pack. This module generates an Alert (red) health alert when an installed malware storage pack cannot be detected.

To configure Disk Status health module settings:

Access: Admin/Maint

Step 1 On the Health Policy Configuration page, click Disk Status .

The Health Policy Configuration — Disk Status page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate devices if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Disk Usage Monitoring

License: Any

Without sufficient disk space, an appliance cannot run. The health monitor can identify low disk space conditions on your appliance’s hard drive and malware storage pack before space runs out. The health monitor can also alert when hard drive file draining occurs too frequently. Use the Disk Usage health status module to monitor disk usage for the / and /volume partitions on the appliance and track draining frequency.

Note Although the disk usage module lists the /boot partition as a monitored partition, the size of the partition is static so the module does not alert on the boot partition.

If the overall disk usage on the monitored appliance exceeds the Warning limit, the status classification for that module changes to Warning. If the overall disk usage on the monitored appliance exceeds the Critical limit, the status classification for that module changes to Critical. The maximum percentage you can set for either limit is 100 percent, and the Critical limit must be higher than the Warning limit.

If the system deletes unprocessed events, the status classification for that module changes to Warning. If the system drains files in any disk usage category too frequently based on module thresholds, or if disk usage for files not in a monitored disk usage category grows too large based on module thresholds, the status classification for that module changes to Critical. For more information on disk usage categories, see Understanding the Disk Usage Widget.

To configure Disk Usage health module settings:

Access: Admin/Maint

Step 1 On the Health Policy Configuration page, select Disk Usage .

The Health Policy Configuration — Disk Usage page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 In the Critical Threshold % field, enter the percentage of disk usage that should trigger a critical health status.

Step 4 In the Warning Threshold % field, enter the percentage of disk usage that should trigger a warning health status.

Step 5 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate appliances if you want your settings to take effect. See Applying Health Policies for more information.

Configuring FireAMP Status Monitoring

License: Any

Use the FireAMP Status Monitor module to alert you in the following situations:

• the Defense Center cannot connect to the Cisco cloud after an initial successful connection
• you deregister a cloud connection using the FireAMP portal
• your FireAMP Private Cloud is unable to communicate with the public Cisco cloud

In these cases, the module status changes to Critical and provides the cloud name associated with the failed connection. For information on configuring a cloud connection, see Working with Cloud Connections for FireAMP.

To configure FireAMP Status Monitor module settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select FireAMP Status Monitor .

The Health Policy Configuration — FireAMP Status Monitor page appears.

Step 2 Select On for the Enabled option to enable use of the module for FireAMP status monitoring.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the Defense Center if you want your settings to take effect. See Applying Health Policies for more information.

Configuring FireSIGHT Host Usage Monitoring

License: FireSIGHT

Use the FireSIGHT Host License Limit health status module to set FireSIGHT Host amount warning limits. If the number of remaining FireSIGHT Hosts on the monitored device falls below the Warning Hosts limit, the status classification for that module changes to Warning. If the number of remaining FireSIGHT Hosts on the monitored device falls below the Critical Hosts limit, the status classification for that module changes to Critical. That status data feeds into the health monitor.

The maximum number of hosts you can set for either limit is 1000, and the Critical host limit number must be lower than the Warning limit.

To configure FireSIGHT Host License Limit health module settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select FireSIGHT Host License Limit .

The Health Policy Configuration — FireSIGHT Host License Limit page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 In the Critical number Hosts field, enter the remaining number of available hosts that should trigger a critical health status.

Step 4 In the Warning number Hosts field, enter the remaining number of available hosts that should trigger a warning health status.

Step 5 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate devices if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Hardware Alarm Monitoring

License: Any

Supported Devices: Series 3, 3D9900

Use the Hardware Alarms health status module to detect hardware failure on a Series 3 or 3D9900 device. If the Hardware Alarms module finds a hardware component that has failed or clustered devices that are not communicating with each other, the status classification for that module changes to Critical. That status data feeds into the health monitor.

For more information on the hardware status conditions that can cause hardware alerts on 3D9900 devices, see Interpreting Hardware Alert Details for 3D9900 Devices.

To configure Hardware Alarm health module settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select Hardware Alarms .

The Health Policy Configuration — Hardware Alarm Monitor page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate devices if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Health Status Monitoring

License: Any

Use the Health Monitor Process module to monitor the health of the health monitor on a Defense Center by generating alerts when too many minutes elapse between health events received from monitored appliances.

For example, if a Defense Center ( myrtle.example.com ) monitors a device ( dogwood.example.com ), you apply a health policy with the Health Monitor Process module enabled to myrtle.example.com . The Health Monitor Process module then reports events that indicate how many minutes have elapsed since the last event was received from dogwood.example.com .

You can configure the elapsed duration between events, in minutes, that causes an alert to be generated. If the wait exceeds the number of minutes configured in the Warning Minutes since last event limit, the status classification for that module changes to Warning. If the wait exceeds the Critical Minutes since last event limit, the status classification for that module changes to Critical. That status data feeds into the health monitor.

The maximum number of minutes you can set for either limit is 144, and the Critical limit must be higher than the Warning limit. The minimum number of minutes is 5.

To configure Health Monitor Process module settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select Health Monitor Process .

The Health Policy Configuration — Health Monitor Process page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 In the Critical Minutes since last event field, enter the maximum number of minutes to wait between events, before triggering a critical health status.

Step 4 In the Warning Minutes since last event field, enter the maximum number of minutes to wait between events, before triggering a warning health status.

Step 5 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the Defense Center for your settings to take effect. See Applying Health Policies for more information.

Configuring Inline Link Mismatch Alarm Monitoring

License: Any

Use the Inline Link Mismatch Alarm health status module to track when the interfaces on either side of an inline set negotiate different connection speeds. If different negotiated speeds are detected, this module generates an alert.

To configure inline link mismatch monitoring:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select Inline Link Mismatch Alarms .

The Health Policy Configuration — Inline Link Mismatch Alarms page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate Defense Center if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Interface Status Monitoring

License: FireSIGHT

Use the Interface Status health status module to detect whether a device receives traffic. If the Interface Status module determines that a device does not receive traffic, the status classification for that module changes to Critical. That status data feeds into the health monitor.

Note Interfaces labeled DataPlaneInterfacex, where x is a numerical value, are internal ASA interfaces (not user-defined) and involve packet flow within the system.

To configure Interface Status health module settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select Interface Status .

The Health Policy Configuration — Interface Status page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate devices if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Intrusion Event Rate Monitoring

License: Protection

Use the Intrusion Event Rate health status module to set limits for the number of packets per second that trigger a change in the health status. If the event rate on the monitored device exceeds the number of events per second configured in the Events per second (Warning) limit, the status classification for that module changes to Warning. If the event rate exceeds the number of events per second configured in the Events per second (Critical) limit, the status classification for that module changes to Critical. That status data feeds into the health monitor.

Typically, the event rate for a network segment averages 20 events per second. For a network segment with this average rate, Events per second (Critical) should be set to 50 and Events per second (Warning) should be set to 30 . To determine limits for your system, find the Events/Sec value on the Statistics page for your device ( System > Monitoring > Statistics ), then calculate the limits using these formulas:

• Events per second (Critical) = Events/Sec * 2.5
• Events per second (Warning) = Events/Sec * 1.5

The maximum number of events you can set for either limit is 999, and the Critical limit must be higher than the Warning limit.

To configure Intrusion Event Rate Monitor health module settings:

Access: Admin/Maint

Step 1 On the Health Policy Configuration page, select Intrusion Event Rate .

The Health Policy Configuration — Intrusion Event Rate page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 In the Events per second (Critical) field, enter the number of events per second that should trigger a critical health status.

Step 4 In the Events per second (Warning) field, enter the number of events per second that should trigger a warning health status.

Step 5 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate devices if you want your settings to take effect. See Applying Health Policies for more information.

Understanding License Monitoring

License: Any

Use the License Monitoring health status module to determine if sufficient licenses remain for Control, Protection, URL Filtering, Malware, and VPN. This module alerts if the number of remaining licenses is low or insufficient.

This module also alerts if the system detects that devices in a stacked configuration have mismatched license sets (stacked devices must have identical sets of licenses).

The License Monitoring module is automatically configured. Because you cannot change or disable this module, it does not appear on the Health Policy Configuration page.

Configuring Link State Propagation Monitoring

License: Any

Use the Link State Propagation health status module to detect the link state propagation status on an inline pair. If a link state propagates to the pair, the status classification for that module changes to Critical and the state reads:

where x and y are the paired interface numbers.

To configure Link State Propagation health module settings:

Access: Admin/Maint

Step 1 On the Health Policy Configuration page, select Link State Propagation .

The Health Policy Configuration — Link State Propagation monitor page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate devices if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Memory Usage Monitoring

License: Any

Use the Memory Usage health status module to set memory usage limits. The module calculates free memory by considering free memory, cached memory, and swap memory. If the memory usage on the monitored appliance exceeds the Warning limit, the status classification for that module changes to Warning. If the memory usage on the monitored appliance exceeds the Critical limit, the status classification for that module changes to Critical. That status data feeds into the health monitor.

For appliances with more than 4GB of memory, the preset alert thresholds are based on a formula that accounts for proportions of available memory likely to cause system problems.

Note On <4GB appliances, because the interval between Warning and Critical thresholds may be very narrow, Cisco recommends that you manually set the Warning Threshold % value to 50. This will further ensure that you receive memory alerts for your appliance in time to address the issue.

The maximum percentage you can set for either limit is 100 percent, and the Critical limit must be higher than the Warning limit.

Note If you apply an access control policy with many FireSIGHT features enabled (such as security intelligence, file capture, intrusion policies with many rules, or URL filtering), some lower-end ASA FirePOWER devices may generate intermittent memory usage warnings, as the device’s memory allocation is being used to the fullest extent possible.

To configure Memory Usage health module settings:

Access: Admin/Maint

Step 1 On the Health Policy Configuration page, select Memory Usage .

The Health Policy Configuration — Memory Usage page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 In the Critical Threshold % field, enter the percentage of memory usage that should trigger a critical health status.

Step 4 In the Warning Threshold % field, enter the percentage of memory usage that should trigger a warning health status.

Step 5 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate appliances if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Power Supply Monitoring

License: Any

Supported Devices: 3D3500, 3D4500, 3D6500, 3D9900, Series 3

Supported Defense Centers: DC1500, DC2000, DC3500, DC4000

Use the Power Supply health status module to detect a power supply failure on any of the supported platforms. If the module finds a power supply that has no power, the status classification for that module changes to No Power. If the module cannot detect the presence of the power supply, the status changes to Critical Error. That status data feeds into the health monitor. You can expand the Power Supply item on the Alert Detail list in the health monitor to see specific status items for each power supply.

To configure Power Supply health module settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select Power Supply .

The Health Policy Configuration — Power Supply page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate devices if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Process Status Monitoring

License: Any

Use the Process Status health module to monitor for processes running on the appliance that exit or terminate outside of the process manager. The response of the Process Status module to a process ending depends on how the process ends:

• If the process terminates inside the process manager, the module does not report any health events.
• If a process is deliberately exited outside of the process manager, the module status changes to Warning and the health event message indicates which process exited until the module runs again and the process has restarted.
• If a process terminates abnormally or crashes outside of the process manager, the module status changes to Critical and the health event message indicates the terminated process until the module runs again and the process has restarted.

To configure Process Status health module settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select Process Status .

The Health Policy Configuration — Process Status page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate appliances if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Reconfiguring Detection Monitoring

License: Any

Use the Reconfiguring Detection Monitor module to determine the status of detection capabilities after applying a policy to your managed devices. If a policy apply fails and detection ceases functionality, the module generates an alert in Health Events.

To configure time series data monitoring settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select Reconfiguring Detection .

The Health Policy Configuration — Reconfiguring Detection page appears.

Step 2 Select On for the Enabled option to enable use of the module for health alerts.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate devices if you want your settings to take effect. See Applying Health Policies for more information.

Configuring RRD Server Process Monitoring

License: Any

Use the RRD Server Process module to see if the RRD server that stores time series data is working properly. The module will alert If the RRD server has restarted since the last time it updated; it will enter Critical or Warning status if the number of consecutive updates with an RRD server restart reaches the numbers specified in the module configuration.

To configure RRD server process monitoring settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select RRD Server Process .

The Health Policy Configuration — RRD Server Process page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 In the Critical Number of restarts field, enter the number of consecutive detected RRD server resets that should trigger a critical health status.

Step 4 In the Warning Number of restarts field, enter the number of consecutive detected RRD server resets that should trigger a warning health status.

Step 5 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate devices if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Security Intelligence Monitoring

License: Protection

Supported Defense Centers: Any except DC500

Use the Security Intelligence module to warn you in a variety of situations involving Security Intelligence filtering. The module alerts if Security Intelligence is in use and:

• the Defense Center cannot update a feed, or if feed data is corrupt or contains no recognizable IP addresses
• a managed device had a problem receiving updated Security Intelligence data from the Defense Center
• a managed device cannot load all of the Security Intelligence data provided to it by the Defense Center, due to memory issues

Tip If a Security Intelligence memory warning appears in the health monitor, you can reapply the affected device’s access control policy to increase the memory allocated to Security Intelligence; see Applying an Access Control Policy.

For more information on Security Intelligence filtering, see Blacklisting Using Security Intelligence IP Address Reputation and Working with Security Intelligence Lists and Feeds.

To configure Security Intelligence module settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select Security Intelligence .

The Health Policy Configuration — Security Intelligence page appears.

Step 2 Select On for the Enabled option to enable use of the module for Security Intelligence monitoring.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate devices if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Time Series Data Monitoring

License: Any

Use the Time Series Data Monitor module to monitor the status of time series data (such as lists of compliance events) that your system has stored. This module scans your time series data storage directory for corrupt files. If the module finds corrupted data, it enters a Warning status and reports the names of all affected files.

To configure time series data monitoring settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select Time Series Data Monitor .

The Health Policy Configuration — Time Series Data Monitor page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate devices if you want your settings to take effect. See Applying Health Policies for more information.

Configuring Time Synchronization Monitoring

License: Any

Use the Time Synchronization Status module to detect when the time on a managed device that uses NTP to obtain time from an NTP server differs by 10 seconds or more from the time on the server.

To configure time synchronization monitoring settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select Time Synchronization Status .

The Health Policy Configuration — Time Synchronization Status page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate devices if you want your settings to take effect. See Applying Health Policies for more information.

Configuring URL Filtering Monitoring

License: URL Filtering

Supported Defense Centers: Any except DC500

Use the URL Filtering Monitor module to track communications between the Defense Center and the Cisco cloud, where the system obtains its URL filtering (category and reputation) data for commonly visited URLs. If the Defense Center fails to successfully communicate with or retrieve an update from the cloud, the status classification for that module changes to Critical.

In a high availability configuration, only the primary Defense Center communicates with the URL filtering cloud; all data from this module refers only to that primary appliance.

The URL Filtering Monitor module also tracks communications between the Defense Center and any managed devices where you have enabled URL filtering. If the Defense Center is successfully communicating with the cloud, the module status changes to Warning if the Defense Center cannot push new URL filtering data to its managed devices.

To configure URL Filtering Monitor health module settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select URL Filtering Monitor .

The Health Policy Configuration — URL Filtering Monitor page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the Defense Center if you want your settings to take effect. See Applying Health Policies for more information.

Configuring User Agent Status Monitoring

License: FireSIGHT

You can use the User Agent Status Monitor health module to monitor the heartbeat of agents connected to a Defense Center. If you enable the module in an applied health policy, the module generates a health alert if the Defense Center does not detect a heartbeat for any agent configured on the Defense Center.

To configure User Agent Status Monitor health module settings:

Access: Admin/Maint

Step 1 In the Health Policy Configuration page, select User Agent Status Monitor .

The Health Policy Configuration — User Agent Status Monitor page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the Defense Center if you want your settings to take effect. See Applying Health Policies for more information.

Configuring VPN Status Monitoring

License: VPN

Supported Defense Centers: Any except Series 2

Use the VPN Status health module to monitor the current status of your configured Gateway VPN tunnels; information for each individual tunnel is displayed. This module generates a Critical (red) health alert when any of your VPN tunnels is not working.

To configure VPN Status health module settings:

Access: Admin/Maint

Step 1 On the Health Policy Configuration page, click VPN Status .

The Health Policy Configuration — VPN Status page appears.

Step 2 Select On for the Enabled option to enable use of the module for health status testing.

Step 3 You have three options:

• To save your changes to this module and return to the Health Policy page, click Save Policy and Exit .
• To return to the Health Policy page without saving any of your settings for this module, click Cancel .
• To temporarily save your changes to this module and switch to another module’s settings to modify, select the other module from the list at the left of the page. If you click Save Policy and Exit when you are done, all changes you made will be saved; if you click Cancel , you discard all changes.

You must apply the health policy to the appropriate devices if you want your settings to take effect. See Applying Health Policies for more information.

Applying Health Policies

License: Any

When you apply a health policy to an appliance, the health tests for all the modules you enabled in the policy automatically monitor the health of the processes and hardware on the appliance. Health tests then continue to run at the intervals you configured in the policy, collecting health data for the appliance and forwarding that data to the Defense Center.

If you enable a module in a health policy and then apply the policy to an appliance that does not require that health test, the health monitor reports the status for that health module as disabled.

If you apply a policy with all modules disabled to an appliance, it removes all applied health policies from the appliance so no health policy is applied.

When you apply a different policy to an appliance that already has a policy applied, expect some latency in the display of new data based on the newly applied tests.

Note Custom health policies created on Defense Centers in a high availability pair will be replicated between both appliances. However, changes to default health policies are not replicated; each appliance uses the local default health policy configured for that appliance.

To apply a health policy:

Access: Admin/Maint

Step 1 Select Health > Health Policy .

The Health Policy page appears.

Step 2 Click the apply icon ( ) next to the policy you want to apply.

The Health Policy Apply page appears.

Tip The status icon () next to the Health Policy column indicates the current health status for the appliance.

Step 3 Select the appliances where you want to apply the health policy.

Step 4 Click Apply to apply the policy to the selected appliances.

The Health Policy page appears, with a message indicating if the application of the policy was successful. Monitoring of the appliance starts as soon as the policy is successfully applied.

Editing Health Policies

License: Any

You can modify a health policy by enabling or disabling modules or by changing module settings. If you modify a policy that is already applied to an appliance, the changes do not take effect until you reapply the policy.

Applicable health models for various appliances are listed in the following table.

Comparing Health Policies

License: Any

To review policy changes for compliance with your organization’s standards or to optimize health monitoring performance, you can examine the differences between two health policies. You can compare any two health policies or two revisions of the same health policy, for the health policies you can access. To quickly compare your active health policy to another, you can select the Running Configuration option. Optionally, after you compare, you can then generate a PDF report to record the differences between the two policies or policy revisions.

There are two tools you can use to compare health policies or health policy revisions:

• The comparison view displays only the differences between two health policies or health policy revisions in a side-by-side format; the name of each policy or policy revision appears in the title bar on the left and right sides of the comparison view.

You can use this to view and navigate both policy revisions on the web interface, with their differences highlighted.

• The comparison report creates a record of only the differences between two health policies or health policy revisions in a format similar to the health policy report, but in PDF format.

You can use this to save, copy, print and share your policy comparisons for further examination.

For more information on understanding and using the health policy comparison tools, see:

• Using the Health Policy Comparison View
• Using the Health Policy Comparison Report

Using the Health Policy Comparison View

License: Any

The comparison view displays both health policies or policy revisions in a side-by-side format, with each policy or policy revision identified by name in the title bar on the left and right sides of the comparison view. The time of last modification and the last user to modify are displayed to the right of the policy name. Note that the Health Policy page displays the time a policy was last modified in local time, but the health policy report lists the time modified in UTC.

Differences between the two health policies or policy revisions are highlighted:

• Blue indicates that the highlighted setting is different in the two policies or policy revisions, and the difference is noted in red text.
• Green indicates that the highlighted setting appears in one policy or policy revision but not the other.

You can perform any of the actions in the following table.

Using the Health Policy Comparison Report

License: Any

A health policy comparison report is a record of all differences between two health policies or two revisions of the same health policy identified by the health policy comparison view, presented as a PDF. You can use this report to further examine the differences between two health policy configurations and to save and disseminate your findings.

You can generate a health policy comparison report from the comparison view for any health policies to which you have access. Remember to commit any potential changes before you generate a health policy report; only committed changes appear in the report.

Depending on your configuration, a health policy comparison report can contain one or more sections. Each section uses the same format and provides the same level of detail. Note that the Value A and Value B columns represent the policies or policy revisions you configured in the comparison view.

Tip You can use a similar procedure to compare SSL, network analysis, intrusion, file, system, or access control policies.

To compare two health policies or two revisions of the same policy:

Access: Admin/Maint

Step 1 Select Health > Health Policy .

The Health Policy page appears.

Step 2 Click Compare Policies .

The Select Comparison window appears.

Step 3 From the Compare Against drop-down list, select the type of comparison you want to make:

• To compare two different policies, select Other Policy .
• To compare two revisions of the same policy, select Other Revision .
• To compare another policy to the currently active policy, select Running Configuration.

Remember to commit any changes before you generate a health policy report; only committed changes appear in the report.

Step 4 Depending on the comparison type you selected, you have the following choices:

• If you are comparing two different policies, select the policies you want to compare from the Policy A and Policy B drop-down lists.
• If you are comparing two revisions of the same policy, select the policy from the Policy drop-down list, then select the revisions you want to compare from the Revision A and Revision B drop-down lists.
• If you are comparing the running configuration to another policy, select the second policy from the Policy B drop-down list.

Step 5 Click OK to display the health policy comparison view.

The comparison view appears.

Step 6 Click Comparison Report to generate the health policy comparison report.

The health policy report appears. Depending on your browser settings, the report may appear in a pop-up window, or you may be prompted to save the report to your computer.

Deleting Health Policies

License: Any

You can delete health policies that you no longer need. If you delete a policy that is still applied to an appliance, the policy settings remain in effect until you apply a different policy. In addition, if you delete a health policy that is applied to a device, any health monitoring alerts in effect for the device remain active until you disable the underlying associated alert response; see Enabling and Disabling Alert Responses.

Tip To stop health monitoring for an appliance, create a health policy with all modules disabled and apply it to the appliance. For more information on creating health policies, see Creating Health Policies. For more information on applying health policies, see Applying Health Policies.

To delete a health policy:

Access: Admin/Maint

Step 1 Select Health > Health Policy .

The Health Policy page appears.

Step 2 Click the delete icon ( ) next to the policy you want to delete.

A message appears, indicating if the deletion was successful.

Blacklisting Health Policies or Appliances

License: Any

If you want to set health events to disabled for all appliances with a particular health policy, you can blacklist the policy. If you need to disable the results of a group of appliances’ health monitoring, you can blacklist the group of appliances. After the blacklist settings take effect, the appliance shows as disabled in the Health Monitor Appliance Module Summary and Device Management page. Health events for the appliance have a status of disabled.

Note that if your Defense Center is in a high availability configuration, you can blacklist a managed device on one high availability peer and not the other. You can also blacklist the high availability peer to cause it to mark events generated by it and the devices from which it receives health events as disabled. Defense Centers in a high availability pair have the option to completely or partially blacklist their peer.

To blacklist an entire health policy or group of appliances:

Access: Admin/Maint

Step 1 Select Health > Blacklist .

The Blacklist page appears.

Step 2 Use the drop-down list on the right to sort the list by group, policy, or model. (Groups on a Defense Center are managed devices.)

Note that appliances with some, but not all, health modules blacklisted will appear as (Partially Blacklisted) . If you edit their blacklist status on the main blacklist page, you can either blacklist all modules on those appliances or remove all blacklisting. For information on blacklisting individual health modules on an appliance, see Blacklisting a Health Policy Module.

Tip The status icon next to the Health Policy column () indicates the current health status for the appliance. The status icon next to the System Policy column () indicates the communication status between the Defense Center and the device.

Step 3 You have two options:

• To blacklist all appliances in a group, model, or policy category, select the category, then click Blacklist Selected Devices .
• To clear blacklisting from all appliances in a group, model, or policy category, select the category, then click Clear Blacklist on Selected Devices .

The page refreshes, now indicating the new blacklist state of the appliances.

Blacklisting an Appliance

License: Any

If you need to set the events and health status for an individual appliance to disabled, you can blacklist the appliance. After the blacklist settings take effect, the appliance shows as disabled in the Health Monitor Appliance Module Summary and health events for the appliance have a status of disabled.

To blacklist an individual appliance:

Access: Admin/Maint

Step 1 Select Health > Blacklist .

The Blacklist page appears.

Step 2 Use the drop-down list on the right to sort the list by appliance group, model, or by policy.

Step 3 You have two options:

• To blacklist all appliances in a group, model, or policy category, select the category, then click Blacklist Selected Devices .
• To clear blacklisting from all appliances in a group, model, or policy category, select the category, then click Clear Blacklist on Selected Devices .

The page refreshes and indicates the new blacklist state of the appliances. Click Edit and see Blacklisting a Health Policy Module to blacklist individual health policy modules.

Blacklisting a Health Policy Module

License: Any

You can blacklist individual health policy modules on appliances. You may want to do this to prevent events from the module from changing the status for the appliance to warning or critical.

When any part of a module is blacklisted, the line for that module appears in boldface type in the Defense Center web interface.

Tip After the blacklist settings take effect, the appliance shows as Partially Blacklisted or All Modules Blacklisted on the Blacklist page and in the Appliance Health Monitor Module Status Summary, but only in expanded views on the main Appliance Status Summary page. Make sure that you keep track of individually blacklisted modules so you can reactivate them when you need them. You may miss necessary warning or critical messages if you accidentally leave a module disabled.

To blacklist an individual health policy module:

Access: Admin/Maint

Step 1 Select Health > Blacklist .

The Blacklist page appears.

Step 2 Sort by Group, Policy, or Model, then click Edit to display the list of health policy modules for an appliance.

The health policy modules appear.

Step 3 Select each module that you want to blacklist.

Step 4 Click Save .

Creating Health Monitor Alerts

License: Any

When you create a health monitor alert, you create an association between a severity level, a health module, and an alert response. You can use an existing alert or configure a new one specifically to report on system health. When the severity level occurs for the selected module, the alert triggers.

Note that if you create or update a threshold in a way that duplicates an existing threshold, you are notified of the conflict. When duplicate thresholds exist, the health monitor uses the threshold that generates the fewest alerts and ignores the others. The timeout value for the threshold must be between 5 and 4,294,967,295 minutes.

To create health monitor alerts:

Access: Admin

Step 1 Select Health > Health Monitor Alerts .

The Health Monitor Alerts page appears.

Step 2 Type a name for the health alert in the Health Alert Name field.

Step 3 From the Severity list, select the severity level you want to use to trigger the alert.

Step 4 From the Module list, select the modules for which you want the alert to apply.

Tip To select multiple modules, press Shift + Ctrl and click the module names.

Step 5 From the Alert list, select the alert response that you want to trigger when the selected severity level is reached.

Tip Click Alerts to open the Alerts page. For more information on creating alerts, see Working with Alert Responses.

Step 6 Optionally, in the Threshold Timeout field, type the number of minutes that should elapse before each threshold period ends and the threshold count resets. The default value is 5 minutes.

Note that even if the policy run time interval value is less than the threshold timeout value, the interval between two reported health events from a given module is always greater, such that if the threshold timeout is 8 minutes and the policy run time interval is 5 minutes, there will be a 10-minute interval (5 x 2) between reported events.

Step 7 Click Save to save the health alert.

A message appears, indicating if the alert configuration was successfully saved. The Active Health Alerts list now includes the alert you created.

Interpreting Health Monitor Alerts

License: Any

The alerts generated by the health monitor contain the following information:

• Severity, which indicates the severity level of the alert.
• Module, which specifies the health module whose test results triggered the alert.
• Description, which includes the health test results that triggered the alert.

For more information on health alert severity levels, see the following table.

Editing Health Monitor Alerts

License: Any

You can edit existing health monitor alerts to change the severity level, health module, or alert response associated with the health monitor alert.

To edit health monitor alerts:

Access: Admin

Step 1 Select Health > Health Monitor Alerts .

The Health Monitor Alerts page appears.

Step 2 Select the alert you want to modify in the Active Health Alerts list.

Step 3 Click Load to load the configured settings for the selected alert.

Step 4 Modify settings as needed. For more information, see Creating Health Monitor Alerts.

Step 5 Click Save to save the modified health alert.

A message appears, indicating if the alert configuration was successfully saved.

Deleting Health Monitor Alerts

License: Any

You can delete existing health monitor alerts.

Note Deleting a health monitor alert does not delete the associated alert response. You must disable or delete the underlying alert response to ensure that alerting does not continue. For more information, see Enabling and Disabling Alert Responses and Deleting an Alert Response.

To delete health monitor alerts:

Access: Admin

Step 1 Select Health > Health Monitor Alerts .

The Health Monitor Alerts page appears.

Step 2 Select the alert you want to delete in the Active Health Alerts list.

Step 3 Click Delete .

A message appears, indicating if the alert configuration was successfully deleted.

Interpreting Health Monitor Status

License: Any

Available status categories, by severity, include Error, Critical, Warning, Normal, Recovered, and Disabled, as described in the following table.

Viewing Alerts by Status

License: Any

You can show or hide categories of alerts by status.

To show alerts by status:

Access: Admin/Maint/Any Security Analyst

Step 1 Click the status icon or the color segment in the pie chart that corresponds to the health status of the alerts you want to view. The alerts for that category appear in the Alert Detail list.

To hide alerts by status:

Access: Admin/Maint/Any Security Analyst

Step 1 Click the status icon or the color segment in the pie chart that corresponds to the health status of the alerts you want to view. The alerts in the Alert Detail list for that category disappear.

Running All Modules for an Appliance

License: Any

Health module tests run automatically at the policy run time interval you configure when you create a health policy. However, you can also run all health module tests on demand to collect up-to-date health information for the appliance.

To run all health modules for the appliance:

Access: Admin/Maint/Any Security Analyst

Step 1 Select Health > Health Monitor .

The Health Monitor page appears.

Step 2 To expand the appliance list to show appliances with a particular status, click the arrow in that status row.

Tip If the arrow in the row for a status level points down, the appliance list for that status shows in the lower table. If the arrow points right, the appliance list is hidden.

Step 3 In the Appliance column of the appliance list, click the name of the appliance for which you want to view details.

The Health Monitor Appliance page appears.

Step 4 Click Run All Modules .

The status bar indicates the progress of the tests, then the Health Monitor Appliance page refreshes.

Note When you manually run health modules, the first refresh that automatically occurs may not reflect the data from the manually run tests. If the value has not changed for a module that you just ran manually, wait a few seconds, then refresh the page by clicking the device name. You can also wait for the page to refresh again automatically.

Running a Specific Health Module

License: Any

Health module tests run automatically at the policy run time interval you configure when you create a health policy. However, you can also run a health module test on demand to collect up-to-date health information for that module.

To run a specific health module:

Access: Admin/Maint/Any Security Analyst

Step 1 Select Health > Health Monitor .

The Health Monitor page appears.

Step 2 To expand the appliance list to show appliances with a particular status, click the arrow in that status row.

Tip If the arrow in the row for a status level points down, the appliance list for that status shows in the lower table. If the arrow points right, the appliance list is hidden.

Step 3 In the Appliance column of the appliance list, click the name of the appliance for which you want to view details.

The Health Monitor Appliance page appears.

Step 4 In the Module Status Summary graph of the Health Monitor Appliance page, click the color for the health alert status category you want to view.

The Alert Detail list expands to list the health alerts for the selected appliance for that status category.

Step 5 In the Alert Detail row for the alert for which you want to view a list of events, click Run .

The status bar indicates the progress of the test, then the Health Monitor Appliance page refreshes.

Note When you manually run health modules, the first refresh that automatically occurs may not reflect the data from the manually run tests. If the value has not changed for a module that you just manually ran, wait a few seconds, then refresh the page by clicking the device name. You can also wait for the page to refresh automatically again.

Generating Health Module Alert Graphs

License: Any

You can graph the results over a period of time of a particular health test for a specific appliance.

To generate a health module alert graph:

Access: Admin/Maint/Any Security Analyst

Step 1 Select Health > Health Monitor .

The Health Monitor page appears.

Step 2 To expand the appliance list to show appliances with a particular status, click the arrow in that status row.

Tip If the arrow in the row for a status level points down, the appliance list for that status shows in the lower table. If the arrow points right, the appliance list is hidden.

Step 3 In the Appliance column of the appliance list, click the name of the appliance for which you want to view details.

The Health Monitor Appliance page appears.

Step 4 In the Module Status Summary graph of the Health Monitor Appliance page, click the color for the health alert status category you want to view.

The Alert Detail list expands to list the health alerts for the selected appliance for that status category.

Step 5 In the Alert Detail row for the alert for which you want to view a list of events, click Graph .

A graph appears, showing the status of the event over time. The Alert Detail section below the graph lists all health alerts for the selected appliance.

Tip If no events appear, you may need to adjust the time range. See Setting Event Time Constraints for more information.

Using the Health Monitor to Troubleshoot

License: Any

In some cases, if you have a problem with your appliance, Support may ask you to generate troubleshooting files to help them diagnose the problem. You can select any of the options listed in the following table to customize the troubleshooting data that the health monitor reports.

Generating Appliance Troubleshooting Files

License: Any

Use the following procedure to generate customized troubleshooting files that you can send to Support.

Note You cannot use the primary Defense Center in a high availability configuration to generate troubleshooting files for the secondary Defense Center, or visa versa. You must generate troubleshooting files for a Defense Center from its own web interface.

To generate troubleshooting files:

Access: Admin/Maint/Any Security Analyst

Step 1 Select Health > Health Monitor .

The Health Monitor page appears.

Step 2 To expand the appliance list to show appliances with a particular status, click the arrow in that status row.

Tip If the arrow in the row for a status level points down, the appliance list for that status shows in the lower table. If the arrow points right, the appliance list is hidden.

Step 3 In the Appliance column of the appliance list, click the name of the appliance for which you want to view details.

The Health Monitor Appliance page appears.

Step 4 Click Generate Troubleshooting Files .

The Troubleshooting Options pop-up window appears.

Step 5 Select All Data to generate all possible troubleshooting data, or select individual check boxes to customize your report. For more information, see the Selectable Troubleshoot Options table.

Step 6 Click OK .

The Defense Center generates the troubleshooting files. You can monitor the file generation process in the task queue ( System > Monitoring > Task Status ).

Step 7 Continue with the procedure in the next section, Downloading Troubleshooting Files.

Downloading Troubleshooting Files

License: Any

Use the following procedure to download copies of your generated troubleshooting files.

To download troubleshooting files:

Access: Admin/Maint/Any Security Analyst

Step 1 Select System > Monitoring > Task Status .

The Task Status page appears.

Step 2 Find the task that corresponds to the troubleshooting files you generated.

Step 3 After the appliance generates the troubleshooting files and the task status changes to Completed , click Click to retrieve generated files .

Step 4 Follow your browser’s prompts to download the files.

The files are downloaded in a single .tar.gz file.

Step 5 Follow the directions from Support to send the troubleshooting files to Cisco.

Understanding Health Event Views

License: Any

The Defense Center health monitor logs health events, which you can see on the Health Event View page. If you understand what conditions each health module tests for, you can more effectively configure alerting for health events. For more information on the different types of health modules that generate health events, see Understanding Health Modules.

For more information about viewing and searching for health events, see the following sections:

• Viewing Health Events
• Understanding the Health Events Table
• Searching for Health Events

Viewing Health Events

License: Any

You can view the appliance health data collected by your health monitor in several ways.

For more information, see the following topics:

• Viewing All Health Events
• Viewing Health Events by Module and Appliance
• Working with the Health Events Table View
• Interpreting Hardware Alert Details for 3D9900 Devices
• Interpreting Hardware Alert Details for Series 3 Devices

Viewing All Health Events

License: Any

The Table View of Health Events page provides a list of all health events on the selected appliance. For a description of the health modules that generated the events that you may see on this page, see Understanding Health Modules.

When you access health events from the Health Monitor page on your Defense Center, you retrieve all health events for all managed appliances.

To view all health events on all managed appliances:

Access: Admin/Maint/Any Security Analyst

Step 1 Select Health > Health Events .

The Events page appears, containing all health events.

Note If no events appear, you may need to adjust the time range. See Setting Event Time Constraints for more information.

Tip You can bookmark this view to allow you to return to the page in the health events workflow containing the Health Events table of events. The bookmarked view retrieves events within the time range you are currently viewing, but you can then modify the time range to update the table with more recent information if needed. For more information, see Setting Event Time Constraints.

Viewing Health Events by Module and Appliance

License: Any

You can query for events generated by a specific health module on a specific appliance.

To view the health events for a specific module:

Access: Admin/Maint/Any Security Analyst

Step 1 Select Health > Health Monitor .

The Health Monitor page appears.

Step 2 To expand the appliance list to show appliances with a particular status, click the arrow in that status row.

Tip If the arrow in the row for a status level points down, the appliance list for that status shows in the lower table. If the arrow points right, the appliance list is hidden.

Step 3 In the Appliance column of the appliance list, click the name of the appliance for which you want to view details.

The Health Monitor Appliance page appears.

Step 4 In the Module Status Summary graph of the Health Monitor Appliance page, click the color for the health alert status category you want to view.

The Alert Detail list expands to list the health alerts for the selected appliance for that status category.

Step 5 In the Alert Detail row for the alert for which you want to view a list of events, click Events .

The Health Events page appears, containing query results for a query with the name of the appliance and the name of the selected health alert module as constraints.

If no events appear, you may need to adjust the time range. See Setting Event Time Constraints for more information.

Step 6 If you want to view all health events for the selected appliance, expand Search Constraints and click the Module Name constraint to remove it.

Working with the Health Events Table View

License: Any

The following table describes each action you can perform from the Event View page.

Interpreting Hardware Alert Details for 3D9900 Devices

License: Any

For 3D9900 device models, hardware alarms generate in response to the events described in the following table. The triggering condition can be found in the message detail for the alert.

Interpreting Hardware Alert Details for Series 3 Devices

For Series 3 devices, hardware alarms generate in response to the events described in the following table. The triggering condition appears in the message detail for the alert.

Understanding the Health Events Table

License: Any

You can use the Defense Center’s health monitor to determine the status of critical functionality within the FireSIGHT System. You create and apply health policies to your appliances, which monitor a variety of aspects, including hardware and software status. The Health Monitor modules you choose to enable in your health policy run various tests to determine appliance health status. When the health status meets criteria that you specify, a health event is generated. For more information on health monitoring, see Monitoring the System.

The fields in the health events table are described in the following table.

 

Table 68-11 Health Event Fields

Field	Description
Test Name	The name of the health module that generated the event. For a list of health modules, see the Health Modules table.
Time	The timestamp for the health event.
Description	The description of the health module that generated the event. For example, health events generated when a process was unable to execute are labeled Unable to Execute .
Value	The value (number of units) of the result obtained by the health test that generated the event. For example, if the Defense Center generates a health event whenever a device it is monitoring is using 80 percent or more of its CPU resources, the value could be a number from 80 to 100.
Units	The units descriptor for the result. You can use the asterisk (*) to create wildcard searches. For example, if the Defense Center generates a health event when a device it is monitoring is using 80 percent or more of its CPU resources, the units descriptor is a percentage sign (%).
Status	The status (Critical, Yellow, Green, or Disabled) reported for the appliance.
Device	The appliance where the health event was reported.

To display the table view of health events:

Access: Admin/Maint/Any Security Analyst

---

Step 1 Select Health > Health Events .

The table view appears. For information on working with health events, see Working with Health Events.

---

Tip If you are using a custom workflow that does not include the table view of health events, click (switch workflow). On the Select Workflow page, click Health Events.

---

---

 

Searching for Health Events

License: Any

You can search for specific health events. You may want to create searches customized for your network environment, then save them to reuse later. The following table describes the search criteria you can use.

 

Table 68-12 Health Event Search Criteria

Search Field	Description
Module Name	Specify the name of the module which generated the health events you want to view. For example, to view events that measure CPU performance, type CPU . The search should retrieve applicable CPU Usage and CPU temperature events.
Value	Specify the value (number of units) of the result obtained by the health test for the events you want to view. For example, if you specify a value of 15 and type CPU in the Units field, you retrieve events where the appliance CPU was running at 15% utilization at the time the test ran.
Description	Specify the description of the events you want to view. For example, you could enter Unable to Execute to view any health events where a process was unable to execute. You can use an asterisk (*) in this field to create wildcard searches.
Units	Specify the units descriptor for the result obtained by the health test for the events you want to view. You can use an asterisk (*) in this field to create wildcard searches. For example, if you type % in the Units field, you retrieve all events for the Disk Usage modules, because the Disk Usage module has a “%” label in the Units field (and no additional text). However, if you type *% in the Units field, you retrieve all events for any modules that contain text followed by a “%” sign in the Units field.
Status	Specify the status for the health events that you want to view. Valid status levels are Critical, Warning, Normal, Error, and Disabled. For example, type Critical to retrieve all health events that indicate a critical status.
Device	Type the device name or IP address, or a device group, stack, or cluster name to restrict the search to health events generated by one or more specific devices. For detailed information on how the FireSIGHT System treats the device field in searches, see Specifying Devices in Searches.

For more information on searching, including information on special search syntax as well as saving and loading searches, see Performing and Saving Searches.

To search for health events:

Access: Admin/Maint/Any Security Analyst

---

Step 1 Select Analysis > Search .

The Search page appears.

Step 2 Select Health Events from the table drop-down list.

The page updates with the appropriate constraints.

Step 3 Enter your search criteria in the appropriate fields, as described in the Health Event Search Criteria table.

If you enter multiple criteria, the search returns only the records that match all the criteria.

Step 4 Optionally, if you plan to save the search, you can select the Private check box to save the search as private so only you can access it. Otherwise, leave the check box clear to save the search for all users.

---

Tip If you want to use the search as a data restriction for a custom user role, you must save it as a private search.

---

Step 5 Optionally, you can save the search to be used again in the future. You have to following options:

• Click Save to save the search criteria.

For a new search, a dialog box appears prompting for the name of the search; enter a unique search name and click Save . If you save new criteria for a previously-existing search, no prompt appears. The search is saved (and visible only to your account if you selected Private ) so you can run it at a later time.

• Click Save as New to save a new search or assign a name to a search you created by altering a previously-save search.

A dialog box appears prompting for the name of the search; enter a unique search name and click Save . The search is saved (and visible only to your account if you selected Private ) so that you can run it at a later time.

Step 6 Click Search to start the search.

Your search results appear in the default health events workflow, constrained by the current time range. To use a different workflow, including a custom workflow, click (switch workflow) . For information on specifying a different default workflow, see Configuring Event View Settings.

---