- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
- Configuring a Recurring Task
- Automating Backup Jobs
- Automating Certificate Revocation List Downloads
- Automating Nmap Scans
- Automating Applying an Intrusion Policy
- Automating Report Generation
- Automating Geolocation Database Updates
- Automating FireSIGHT Recommendations
- Automating Software Updates
- Automating Vulnerability Database Updates
- Automating URL Filtering Updates
- Viewing Tasks
- Editing Scheduled Tasks
- Deleting Scheduled Tasks
Scheduling Tasks
You can schedule many different types of administrative tasks to run at designated times, either once or on a recurring basis.
Note Some tasks (such as those involving automated software updates or that require pushing updates to managed devices) may place a significant load on networks with low bandwidths. You should schedule tasks like these to run during periods of low network use.
See the following sections for more information:
- Configuring a Recurring Task explains how to set up a scheduled task so that it runs at regular intervals.
- Automating Backup Jobs provides procedures for scheduling backup jobs.
- Automating Certificate Revocation List Downloads provides procedures for automatically refreshing the certificate revocation list (CRL) for an appliance.
- Automating Nmap Scans provides procedures for scheduling Nmap scans.
- Automating Applying an Intrusion Policy provides procedures for queuing an intrusion policy apply on managed devices.
- Automating Report Generation provides procedures for scheduling reports.
- Automating Geolocation Database Updates provides procedures for scheduling automatic updates of the geolocation database (GeoDB).
- Automating FireSIGHT Recommendations provides procedures for scheduling the automatic update of intrusion rule state recommendations.
- Automating Software Updates provides procedures for scheduling the download, push, and installation of software updates.
- Automating Vulnerability Database Updates provides procedures for scheduling the download and installation of VDB updates.
- Automating URL Filtering Updates provides procedures for automating updates of URL filtering data.
- Viewing Tasks describes how to view and manage tasks after they are scheduled.
- Editing Scheduled Tasks describes how to edit an existing task.
- Deleting Scheduled Tasks describes how to delete one-time tasks and all instances of recurring tasks.
Configuring a Recurring Task
You set the frequency for a recurring task using the same process for all types of tasks.
Note that the time displayed on most pages on the web interface is the local time, which is determined by using the time zone you specify in your local configuration. Further, the Defense Center automatically adjusts its local time display for daylight saving time (DST), where appropriate. However, recurring tasks that span the transition dates from DST to standard time and back do not adjust for the transition. That is, if you create a task scheduled for 2:00 AM during standard time, it will run at 3:00 AM during DST. Similarly, if you create a task scheduled for 2:00 AM during DST, it will run at 1:00 AM during standard time.
To configure a recurring task:
Step 1 Select System > Tools > Scheduling .
Step 3 From the Job Type list, select the type of task that you want to schedule.
Each of the types of tasks you can schedule is explained in its own section.
Step 4 For the Schedule task to run option, select Recurring .
The page reloads with the recurring task options.
Step 5 In the Start On field, specify the date when you want to start your recurring task. You can use the drop-down list to select the month, day, and year.
Step 6 In the Repeat Every field, specify how often you want the task to recur. You can specify a number of hours, days, weeks, or months.
Tip You can either type a number or click the up icon (
) and the down () icon to specify the interval. For example, type 2 and select Days to run the task every two days.
Step 7 In the Run At field, specify the time when you want to start your recurring task.
Step 8 If you selected
Weeks
for
Repeat Every
, a
Repeat On
field appears. Select the check boxes next to the days of the week when you want to run the task.
Step 9 If you selected
Months
for
Repeat Every
, a
Repeat On
field appears. Use the drop-down list to select the day of the month when you want to run the task.
The remaining options on the New Task page are determined by the task you are creating. See the following sections for more information:
– Automating Certificate Revocation List Downloads
– Automating Report Generation
– Automating FireSIGHT Recommendations
– Automating Vulnerability Database Updates
– Automating URL Filtering Updates
Automating Backup Jobs
Supported Devices: Series 2 and Series 3
Supported Defense Centers: Any
You can use the scheduler to automate backups of your Defense Centers or physical managed devices. You must design a backup profile before you can configure a backup as a scheduled task. For more information, see Creating Backup Profiles.
You cannot perform scheduled backups of virtual managed devices, Cisco NGIPS for Blue Coat X-Series, or Cisco ASA with FirePOWER Services. To perform a scheduled backup of the configuration data on a physical managed device, schedule the task from the web interface of the device itself. To perform a scheduled backup of event data, perform a scheduled backup of the managing Defense Center.
Step 1 Select System > Tools > Scheduling .
Step 3 From the Job Type list, select Backup .
The page reloads to show the backup options.
Step 4 Specify how you want to schedule the backup, Once or Recurring :
- For one-time tasks, use the drop-down lists to specify the start date and time. The Current Time field indicates the current time on the appliance.
- For recurring tasks, you have several options for setting the interval between instances of the task. See Configuring a Recurring Task for details.
Step 5 In the Job Name field, type a name using up to 255 alphanumeric characters, spaces, or dashes.
Step 6 From the Backup Profile list, select the appropriate backup profile.
For more information on creating new backup profiles, see Creating Backup Profiles.
Step 7 Optionally, in the Comment field, type a comment using up to 255 alphanumeric characters, spaces, or periods.
Tip The comment field appears in the View Tasks section of the page, so you should try to keep it relatively short.
Step 8 Optionally, in the Email Status To: field, type the email address (or multiple email addresses separated by commas) where you want task status messages sent.
You must have a valid email relay server configured on the Defense Center to send status messages. See Configuring a Mail Relay Host and Notification Address for more information about configuring a relay host.
The task is added. You can check the status of a running task on the Task Status page; see Viewing the Status of Long-Running Tasks.
Automating Certificate Revocation List Downloads
You can use the scheduler to automatically refresh the certificate revocation list (CRL) for the appliance web server on an appliance where you enable user certificates for the appliance. The Download CRL task is automatically created when you enable fetching of a CRL in the local appliance configuration, so this procedure explains how to open the scheduled task to set the frequency.
Tip You must enable and configure user certificates and set a CRL download URL before scheduling this task. For information on configuring user certificates, see Requiring User Certificates.
To automate download of certificate revocation lists:
Step 1 Select System > Tools > Scheduling .
Step 2 Locate the
download CRL
task in the Task Details and click the edit icon (
).
The Edit Task page appears, showing the download options.
Step 3 Specify how you want to schedule the CRL download, Once or Recurring :
- For one-time tasks, use the drop-down lists to specify the start date and time. The Current Time field indicates the current time on the appliance.
- For recurring tasks, you have several options for setting the interval between instances of the task. See Configuring a Recurring Task for details.
Step 4 Optionally, in the Comment field, type a comment using up to 255 alphanumeric characters, spaces, or periods.
Tip The comment field appears in the View Tasks section of the page, so you should try to keep it relatively short.
Step 5 Optionally, in the Email Status To: field, type the email address (or multiple email addresses separated by commas) where you want task status messages sent.
You must have a valid email relay server configured on the Defense Center to send status messages. See Configuring a Mail Relay Host and Notification Address for more information about configuring a relay host.
The task is added. You can check the status of a running task on the Task Status page; see Viewing the Status of Long-Running Tasks.
Automating Nmap Scans
You can schedule regular Nmap scans of targets on your network. Automated scans allow you to refresh information previously supplied by an Nmap scan. Because the FireSIGHT System cannot update Nmap-supplied data, you need to rescan periodically to keep that data up to date. You can also schedule scans to automatically test for unidentified applications or servers on hosts in your network. See the following sections for more information:
Note that a Discovery Administrator can also use an Nmap scan as a remediation. For example, when an operating system conflict occurs on a host, that conflict may trigger an Nmap scan. Running the scan obtains updated operating system information for the host, which resolves the conflict. For more information, see Nmap Scan Remediations.
Preparing Your System for an Nmap Scan
If you have not used the Nmap scanning capability before, you must complete several Nmap configuration steps before defining a scheduled scan. See the following sections for more information:
- Creating an Nmap Scan Instance provides information on setting up an Nmap server connection profile.
- Creating an Nmap Scan Target provides information on setting up a scan target.
- Creating an Nmap Remediation provides information on setting up a remediation definition.
Scheduling an Nmap Scan
You can schedule a scan of a host or hosts on your network using the Nmap utility.
After Nmap replaces a host’s operating system, applications, or servers detected by the system with the results from an Nmap scan, the system no longer updates the information replaced by Nmap for the host. Nmap-supplied service and operating system data remains static until you run another Nmap scan. If you plan to scan a host using Nmap, you may want to set up regularly scheduled scans to keep Nmap-supplied operating systems, applications, or servers up to date. If the host is deleted from the network map and re-added, any Nmap scan results are discarded and the system resumes monitoring of all operating system and service data for the host.
Step 1 Select System > Tools > Scheduling .
Step 3 From the Job Type list, select Nmap Scan .
The page reloads to show the options for automating Nmap scans.
Step 4 Specify how you want to schedule the task, Once or Recurring :
- For one-time tasks, use the drop-down lists to specify the start date and time. The Current Time field indicates the current time on the appliance.
- For recurring tasks, you have several options for setting the interval between instances of the task. See Configuring a Recurring Task for details.
Step 5 In the Job Name field, type a name using up to 255 alphanumeric characters, spaces, or dashes.
Step 6 In the Nmap Remediation field, select the Nmap remediation to use when running the scan.
Step 7 In the Nmap Target field, select the scan target that defines the target hosts you want to scan.
Step 8 Optionally, in the Comment field, type a comment using up to 255 alphanumeric characters, spaces, or periods.
Tip The comment field appears in the View Tasks section of the page, so you should try to keep it relatively short.
Step 9 Optionally, in the Email Status To: field, type the email address (or multiple email addresses separated by commas) where you want task status messages sent.
You must have a valid email relay server configured to send status messages. See Configuring a Mail Relay Host and Notification Address for more information about configuring a relay host.
The task is added. You can check the status of a running task on the Task Status page; see Viewing the Status of Long-Running Tasks.
Automating Applying an Intrusion Policy
You can queue an intrusion policy apply to a managed device. This task only applies the intrusion policy if an access control policy that references the intrusion policy is applied to the selected device when the task runs. Otherwise, the task aborts before completion.
You must associate an intrusion policy with an access control policy and apply the access control policy to a device before scheduling this task; see Controlling Traffic Using Intrusion and File Policies.
To queue a policy apply to a managed device:
Step 1 Select System > Tools > Scheduling .
The schedule calendar page for the current month appears.
Step 3 From the Job Type list, select Queue Intrusion Policy Apply .
The page reloads to show the options for queuing a policy apply.
Step 4 Specify how you want to schedule the task, Once or Recurring :
- For one-time tasks, use the drop-down lists to specify the start date and time. The Current Time field indicates the current time on the Defense Center.
- For recurring tasks, you have several options for setting the interval between instances of the task. See Configuring a Recurring Task for details.
Step 5 In the Job Name field, type a name using up to 255 alphanumeric characters, spaces, or dashes.
Step 6 In the Intrusion Policy field, you have the following options:
Step 7 In the Device field, you have the following options:
Tip This field only displays devices which have the intrusion policy selected in the Intrusion Policy field already applied.
Step 8 Optionally, in the Comment field, type a comment using up to 255 alphanumeric characters, spaces, or periods.
Tip The comment field appears in the Tasks Details section at the bottom of the schedule calendar page, so you should limit the size of your comment.
Step 9 Optionally, in the Email Status To: field, type the email address (or multiple email addresses separated by commas) where you want task status messages sent.
You must have a valid email relay server configured to send status messages. See Configuring a Mail Relay Host and Notification Address for more information about configuring a relay host.
The task is added. You can check the status of a running task in the Task Details section of the calendar page; see Viewing the Status of Long-Running Tasks.
Step 11 To edit your saved task, click the task anywhere it appears on the schedule calendar page.
The Task Details section appears at the bottom of the page. To make any changes, click the edit icon (
).
Automating Report Generation
Supported Devices: Any but X-Series
You can automate reports so that they run at regular intervals. However, you must design a template for your report before you can configure it as a scheduled task. See Understanding Report Templates for more information about using the report designer to create a report template.
If you also want to distribute email reports using the scheduler, you must configure your report template and a mail relay host before scheduling the task. For more information, see Distributing Reports by Email at Generation Time and Configuring a Mail Relay Host and Notification Address.
To automate report generation:
Step 1 Select System > Tools > Scheduling .
The schedule calendar page for the current month appears.
Step 3 From the Job Type list, select Report .
The page reloads to show the options for setting up a report to run automatically.
Step 4 Specify how you want to schedule the task, Once or Recurring :
- For one-time tasks, use the drop-down lists to specify the start date and time. The Current Time field indicates the current time on the Defense Center.
- For recurring tasks, you have several options for setting the interval between instances of the task. See Configuring a Recurring Task for details.
Step 5 In the Job Name field, type a name using up to 255 alphanumeric characters, spaces, or dashes.
Step 6 In the Report Template field, select the report template that you want to use from the drop-down list. For more information, see Creating and Editing Report Templates.
Step 7 Optionally, in the Comment field, type a comment using up to 255 alphanumeric characters, spaces, or periods.
Tip The comment field appears in the Tasks Details section at the bottom of the schedule calendar page, so you should limit the size of your comment.
Step 8 Optionally, in the Email Status To: field, type the email address (or multiple email addresses separated by commas) where you want task status messages sent.
You must have a valid email relay server configured to send status messages. See Configuring a Mail Relay Host and Notification Address for more information about configuring a relay host.
Note Configuring this option does not distribute the reports. For more information, see Distributing Reports by Email at Generation Time.
Step 9 If you do not want to receive report email attachments when reports have no data (for example, when no events of a certain type occurred during the report period), select the If report is empty, still attach to email check box.
The task is added. You can check the status of a running task in the Task Details section of the calendar page; see Viewing the Status of Long-Running Tasks.
Step 11 To edit your saved task, click the task anywhere it appears on the schedule calendar page.
The Task Details section appears at the bottom of the page. To make any changes, click the edit icon (
).
Automating Geolocation Database Updates
Supported Defense Centers: Any except DC500
You can use the scheduler to automate recurring geolocation database (GeoDB) updates. Recurring GeoDB updates run once every 7 days (weekly); you can configure the time the update recurs each week. For more information on GeoDB updates, see Updating the Geolocation Database.
To automate geolocation database updates:
Step 1 Select System > Updates .
The Product Updates page appears.
Step 2 Click the Geolocation Updates tab.
The Geolocation Updates page appears.
Step 3 Under Recurring Geolocation Updates , select the Enable Recurring Weekly Updates check box.
The Update Start Time field appears.
Step 4 In the Update Start Time field, specify the time and day of the week when you want weekly GeoDB updates to occur.
The task is added. You can check the status of a running task on the Task Status page; see Viewing the Status of Long-Running Tasks.
Automating FireSIGHT Recommendations
You can automatically generate rule state recommendations based on network discovery data for your network using the most recently saved configuration settings in a custom intrusion policy.
Note If the system automatically generates scheduled recommendations for an intrusion policy with unsaved changes, you must discard your changes in that policy and commit the policy if you want the policy to reflect the automatically generated recommendations. See Resolving Conflicts and Committing Policy Changes for more information.
When the task runs, the system automatically generates recommended rule states. Optionally, depending on the configuration of your policy, it also modifies the states of intrusion rules based on the criteria described in Tailoring Intrusion Protection to Your Network Assets. Modified rule states take effect the next time you apply your intrusion policy.
To automate rule state recommendation generation:
Step 1 Select System > Tools > Scheduling .
Step 3 From the Job Type list, select FireSIGHT Recommended Rules .
The page reloads to show the options for generating FireSIGHT recommendations.
Step 4 Optionally, click the policies link next to the Job Type field to display the Detection & Prevention page, where you can configure FireSIGHT Recommended Rules in an intrusion policy.
Step 5 Specify how you want to schedule the task, Once or Recurring :
- For one-time tasks, use the drop-down lists to specify the start date and time. The Current Time field indicates the current time on the appliance.
- For recurring tasks, you have several options for setting the interval between instances of the task. See Configuring a Recurring Task for details.
Step 6 In the Job Name field, type a name using up to 255 alphanumeric characters, spaces, or dashes.
Step 7 Next to Policies , select one or more policies where you want to generate recommendations. You have the following options:
Step 8 Optionally, in the Comment field, type a comment using up to 255 alphanumeric characters, spaces, or periods.
Tip The comment field appears in the View Tasks section of the page, so you should try to keep it relatively short.
Step 9 Optionally, in the Email Status To: field, type the email address (or multiple email addresses separated by commas) where you want task status messages sent.
You must have a valid email relay server configured to send status messages. See Configuring a Mail Relay Host and Notification Address for more information about configuring a relay host.
The task is added. You can check the status of a running task on the Task Status page; see Viewing the Status of Long-Running Tasks.
Automating Software Updates
You can automatically download and apply most patches and feature releases to the FireSIGHT System.
Note You must manually upload and install updates in two situations. First, you cannot schedule major updates to the FireSIGHT System. Second, you cannot schedule updates for or pushes from appliances that cannot access the Support Site. If your appliance is not directly connected to the Internet, you should set up a proxy as described in Configuring Management Interfaces to allow it to download updates from the Support Site. For information on manually updating the FireSIGHT System, see Updating System Software.
The tasks you must schedule to install software updates vary depending on whether you are updating the Defense Center or are using a Defense Center to update managed devices. Cisco strongly recommends that you use your Defense Centers to update the devices they manage.
To update the Defense Center, schedule the software installation using the Install Latest Update task. To use a Defense Center to automate software updates for its managed devices, you must schedule two tasks:
Step 1 Push (copy) the update to managed devices using the Push Latest Update task.
Step 2 Install the update on managed devices using the Install Latest Update task.
When scheduling updates, schedule the push and install tasks to happen in succession. That is, to automate software updates on your managed devices, you must first push the update to the device before you can install it. To automate software updates on a device group, you must select all the devices within the group. (Note that during the manual update process you do not have to push an update to managed devices before you install it. For more information, see Updating Managed Devices.)
Note You cannot create individual update tasks for managed devices in a clustered or stacked configuration.
Always allow enough time between tasks for the process to complete. Tasks should be scheduled at least 30 minutes apart. For example, if you schedule a task to install an update and the update has not finished copying from the Defense Center to the device, the installation task will not succeed. However, if the scheduled installation task repeats daily, it will install the pushed update when it runs the next day.
Note that a task scheduled to install an update on a device group will install the update to each device within the device group simultaneously. Allow enough time for the scheduled task to complete for all the devices within the device group.
If you want to have more control over this process, you can use the Once option to download and install updates during off-peak hours after you learn that an update has been released.
See the following sections for more information:
Automating Software Downloads
You can create a scheduled task that automatically downloads the latest software updates from Cisco. You can use this task to schedule download of updates you plan to install manually.
To automate software update downloads:
Step 1 Select System > Tools > Scheduling .
Step 3 From the Job Type list, select Download Latest Update .
The New Task page reloads to show the update options.
Step 4 Specify how you want to schedule the task, Once or Recurring :
- For one-time tasks, use the drop-down lists to specify the start date and time. The Current Time field indicates the current time on the appliance.
- For recurring tasks, you have several options for setting the interval between instances of the task. See Configuring a Recurring Task for details.
Step 5 In the Job Name field, type a name using up to 255 alphanumeric characters, spaces, or dashes.
Step 6 In the Update Items section, select Software .
Step 7 Optionally, in the Comment field, type a comment using up to 255 alphanumeric characters, spaces, or periods.
Tip The comment field appears in the View Tasks section of the page, so you should try to keep it relatively short.
Step 8 Optionally, in the Email Status To: field, type the email address (or multiple email addresses separated by commas) where you want task status messages sent.
You must have a valid email relay server configured to send status messages. See Configuring a Mail Relay Host and Notification Address for more information about configuring a relay host.
The task is added. You can check the status of a running task on the Task Status page; see Viewing the Status of Long-Running Tasks.
Automating Software Pushes
If you want to automate the installation of software updates on managed devices, you must push the updates to the devices before installing.
When you push updates to managed devices, information about the push process status is reported on the Tasks page. See Viewing the Status of Long-Running Tasks for more information.
When you create the task to push software updates to managed devices, make sure you allow enough time between the push task and a scheduled install task for the updates to be copied to the device.
To push software updates to managed devices:
Step 1 Select System > Tools > Scheduling .
Step 3 From the Job Type list, select Push Latest Update .
The page reloads to show the options for pushing updates.
Step 4 Specify how you want to schedule the task, Once or Recurring :
- For one-time tasks, use the drop-down lists to specify the start date and time. The Current Time field indicates the current time on the appliance.
- For recurring tasks, you have several options for setting the interval between instances of the task. See Configuring a Recurring Task for details.
Step 5 In the Job Name field, type a name using up to 255 alphanumeric characters, spaces, or dashes.
Step 6 From the Device list, select the device that you want to receive updates.
Step 7 Optionally, in the Comment field, type a comment using up to 255 alphanumeric characters, spaces, or periods.
Tip The comment field appears in the View Tasks section of the page, so you should try to keep it relatively short.
Step 8 Optionally, in the Email Status To: field, type the email address (or multiple email addresses separated by commas) where you want task status messages sent.
You must have a valid email relay server configured to send status messages. See Configuring a Mail Relay Host and Notification Address for more information about configuring a relay host.
The task is added. You can check the status of a running task on the Task Status page; see Viewing the Status of Long-Running Tasks.
Automating Software Installs
If you are using a Defense Center to create a task to install a software update on a managed device, make sure you allow enough time between the task that pushes the update to the device and the task that installs the update. See Automating Software Pushes for information about pushing updates to managed devices.
Caution Depending on the update being installed, the appliance may reboot after the software is installed.
To schedule a software installation task:
Step 1 Select System > Tools > Scheduling .
Step 3 From the Job Type list, select Install Latest Update .
The page reloads to show the options for installing updates.
Step 4 Specify how you want to schedule the task, Once or Recurring :
- For one-time tasks, use the drop-down lists to specify the start date and time. The Current Time field indicates the current time on the appliance.
- For recurring tasks, you have several options for setting the interval between instances of the task. See Configuring a Recurring Task for details.
Step 5 In the Job Name field, type a name using up to 255 alphanumeric characters, spaces, or dashes.
Step 6 From the Device list, you have the following options:
Step 7 In the Update Items section, select Software .
Step 8 Optionally, in the Comment field, type a comment using up to 255 alphanumeric characters, spaces, or periods.
Tip The comment field appears in the View Tasks section of the page, so you should try to keep it relatively short.
Step 9 Optionally, in the Email Status To: field, type the email address (or multiple email addresses separated by commas) where you want task status messages sent.
You must have a valid email relay server configured to send status messages. See Configuring a Mail Relay Host and Notification Address for more information about configuring a relay host.
The task is added. You can check the status of a running task on the Task Status page; see Viewing the Status of Long-Running Tasks.
Automating Vulnerability Database Updates
Cisco uses vulnerability database (VDB) updates to expand the list of network assets, traffic, and vulnerabilities that the FireSIGHT System recognizes. You can use the scheduling feature to download and install the latest VDB update on your Defense Centers, thereby ensuring that you are using the most up-to-date information to evaluate the hosts on your network.
Note You cannot schedule updates for appliances that cannot access the Support Site. If your appliance is not directly connected to the Internet, you should set up a proxy as described in Configuring Management Interfaces to allow it to download updates from the Support Site. For information on manually updating the FireSIGHT System, see Updating System Software.
When automating VDB updates, you must automate two separate steps:
Step 1 Downloading the VDB update.
Step 2 Installing the VDB update.
Always allow enough time between tasks for the process to complete. For example, if you schedule a task to install an update and the update has not fully downloaded, the installation task will not succeed. However, if the scheduled installation task repeats daily, it will install the downloaded VDB update when the task runs the next day.
If you want to have more control over this process, you can use the Once option to download and install VDB updates during off-peak hours after you learn that an update has been released.
Caution Installing a VDB update restarts the Snort process when you apply your access control policy, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and how it handles traffic. See How Snort Restarts Affect Traffic for more information.
See the following sections for more information:
Automating VDB Update Downloads
You can create a scheduled task on the Defense Center that automatically downloads the latest VDB update from Cisco.
To automate VDB update downloads:
Step 1 Select System > Tools > Scheduling .
Step 3 From the Job Type list, select Download Latest Update .
The New Task page reloads to show the update options.
Step 4 Specify how you want to schedule the task, Once or Recurring :
- For one-time tasks, use the drop-down lists to specify the start date and time. The Current Time field indicates the current time on the appliance.
- For recurring tasks, you have several options for setting the interval between instances of the task. See Configuring a Recurring Task for details.
Step 5 In the Job Name field, type a name using up to 255 alphanumeric characters, spaces, or dashes.
Step 6 In the Update Items section, select Vulnerability Database .
Step 7 Optionally, in the Comment field, type a comment using up to 255 alphanumeric characters, spaces, or periods.
Tip The comment field appears in the View Tasks section of the page, so you should try to keep it relatively short.
Step 8 Optionally, in the Email Status To: field, type the email address (or multiple email addresses separated by commas) where you want task status messages sent.
You must have a valid email relay server configured to send status messages. See Configuring a Mail Relay Host and Notification Address for more information about configuring a relay host.
The task is added. You can check the status of a running task on the Task Status page; see Viewing the Status of Long-Running Tasks.
Automating VDB Update Installs
You should allow enough time between the task that downloads the VDB update and the task that installs the update; see Automating VDB Update Downloads for information.
Caution Installing a VDB update restarts the Snort process when you apply your access control policy, temporarily interrupting traffic inspection. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and how it handles traffic. See How Snort Restarts Affect Traffic for more information.
Step 1 Select System > Tools > Scheduling .
Step 3 From the Job Type list, select Install Latest Update .
The page reloads to show the options for installing updates.
Step 4 Specify how you want to schedule the task, Once or Recurring :
- For one-time tasks, use the drop-down lists to specify the start date and time. The Current Time field indicates the current time on the appliance.
- For recurring tasks, you have several options for setting the interval between instances of the task. See Configuring a Recurring Task for details.
Step 5 In the Job Name field, type a name using up to 255 alphanumeric characters, spaces, or dashes.
Step 6 From the Device drop-down list, select the name of the Defense Center.
Step 7 In the Update Items section, select Vulnerability Database .
Step 8 Optionally, in the Comment field, type a comment using up to 255 alphanumeric characters, spaces, or periods.
Tip The comment field appears in the View Tasks section of the page, so you should try to keep it relatively short.
Step 9 Optionally, in the Email Status To: field, type the email address (or multiple email addresses separated by commas) where you want task status messages sent.
You must have a valid email relay server configured to send status messages. See Configuring a Mail Relay Host and Notification Address for more information about configuring a relay host.
The task is added. You can check the status of a running task on the Task Status page; see Viewing the Status of Long-Running Tasks.
Automating URL Filtering Updates
Supported Defense Centers: Any except DC500
You can use the scheduler to automate updates of URL filtering data from the Collective Security Intelligence Cloud. For a URL filtering update task to succeed:
- The Defense Center must have access to the Internet or it cannot contact the cloud.
- You must enable URL filtering, as described in Enabling Cloud Communications.
Note that when you enable URL filtering, you can also enable automatic updates. This forces the Defense Center to contact the cloud every 30 minutes for URL filtering data updates. If you have enabled automatic updates, you should not create a scheduled task to update URL filtering data.
Although daily updates tend to be small, if it has been more than five days since your last update, new URL filtering data may take up to 20 minutes to download, depending on your bandwidth. Then, it may take up to 30 minutes to perform the update itself.
To automate URL filtering data tasks:
Step 1 Select System > Tools > Scheduling .
Step 3 From the Job Type list, select Update URL Filtering Database .
The page reloads to show the URL filtering update options.
Step 4 Specify how you want to schedule the update, Once or Recurring :
- For one-time tasks, use the drop-down lists to specify the start date and time. The Current Time field indicates the current time on the appliance.
- For recurring tasks, you have several options for setting the interval between instances of the task. See Configuring a Recurring Task for details.
Step 5 In the Job Name field, type a name using up to 255 alphanumeric characters, spaces, or dashes.
Step 6 Optionally, in the Comment field, type a comment using up to 255 alphanumeric characters, spaces, or periods.
Tip The comment field appears in the View Tasks section of the page, so you should try to keep it relatively short.
Step 7 Optionally, in the Email Status To field, type the email address (or multiple email addresses separated by commas) where you want task status messages sent.
You must have a valid email relay server configured to send status messages. See Configuring a Mail Relay Host and Notification Address for more information about configuring a relay host.
The task is added. You can check the status of a running task on the Task Status page; see Viewing the Status of Long-Running Tasks.
Viewing Tasks
After adding scheduled tasks, you can view them and evaluate their status. The View Options section of the page allows you to view scheduled tasks using a calendar and a list of scheduled tasks.
See the following sections for more information:
Using the Calendar
The Calendar view option allows you to view which scheduled tasks occur on which day.
To view scheduled tasks using the calendar:
Step 1 Select System > Tools > Scheduling .
Step 2 You can perform the following tasks using the calendar view:
) to move back one year.
) to move back one month.
) to move forward one month.
) to move forward one year.
Note For more information about using the task list, see Using the Task List.
Using the Task List
The Task List shows a list of tasks along with their status. The task list appears below the calendar when you open the calendar. In addition, you can access it by selecting a date or task from the calendar. See Using the Calendar for more information.
) indicates that the task ran successfully. 
) indicates that the task is in an unknown state.
) indicates that the task failed.Editing Scheduled Tasks
You can edit a scheduled task that you previously created. This feature is especially useful if you want to test a scheduled task once to make sure that the parameters are correct. Later, after the task completes successfully, you can change it to a recurring task.
To edit an existing scheduled task:
Step 1 Select System > Tools > Scheduling .
Step 2 Click either the task that you want to edit or the day on which the task appears.
The Task Details table containing the selected task or tasks appears.
Step 3 Locate the task you want to edit in the table and click the edit icon (
)
The Edit Task page appears, showing the details of the task you selected.
Step 4 Edit the task to meet your needs, including the start time, the job name, the comment, and how often the task runs, once or recurring. You cannot change the type of job.
The remaining options are determined by the task you are editing. See the following sections for more information:
Step 5 Click Save to save your edits.
Your change are saved and the Scheduling page appears again.
Deleting Scheduled Tasks
There are two types of deletions you can perform from the Schedule View page. You can delete a specific one-time task that has not yet run or you can delete every instance of a recurring task. If you delete an instance of a recurring task, all instances of the task are deleted. If you delete a task that is scheduled to run once, only that task is deleted.
The following sections describe how to delete tasks:
- To delete all instances of a task, see Deleting a Recurring Task.
- To delete a single instance of a task, see Deleting a One-Time Task.
Deleting a Recurring Task
When you delete one instance of a recurring task, you automatically delete all instances of that task.
Step 1 Select System > Tools > Scheduling .
Step 2 On the calendar, select an instance of the recurring task you want to delete.
The page reloads to display a table of tasks below the calendar.
Step 3 Locate an instance of the recurring task you want to delete in the table and click the delete icon (
).
All instances of the recurring task are deleted.
Deleting a One-Time Task
You can delete a one-time scheduled task or delete the record of a previously run scheduled task using the task list.
To delete a single task or, if it has already run, delete a task record:
Step 1 Select System > Tools > Scheduling .
Step 2 Click the task that you want to delete or the day on which the task appears.
A table containing the selected task or tasks appears.
Step 3 Locate the task you want to delete in the table and click the delete icon (
).
The instance of the task you selected is deleted.
Feedback