Managing System Policies

A system policy allows you to manage the following on your FireSIGHT System appliances:

  • access control preferences
  • appliance access lists
  • audit log settings
  • external authentication
  • dashboard settings
  • database event limits
  • DNS cache properties
  • the mail relay host and notification address
  • tracking intrusion and network analysis policy changes
  • specifying a different language
  • custom login banners
  • SNMP polling settings
  • synchronizing time
  • STIG compliance
  • serving time from the Defense Center
  • user interface and command line interface timeout settings
  • mapping vulnerabilities for servers

You can use a system policy to control the aspects of your Defense Center that are likely to be similar for other appliances in your deployment. For example, your organization’s security policies may require that your appliances have a “No Unauthorized Use” message when a user logs in. With system policies, you can set the login banner once in a system policy on a Defense Center and then apply the policy to all the devices that it manages.

You can also benefit from having multiple system policies on a Defense Center. For example, if you have different mail relay hosts that you use under different circumstances or if you want to test different database limits, you can create several system policies and switch between them, rather than editing a single policy.

Contrast a system policy, which controls aspects of an appliance that are likely to be similar across a deployment, with system settings, which are likely to be specific to a single appliance. See Configuring Appliance Settings for more information.

See the following sections for more information:

Creating a System Policy

License: Any

Supported Devices: Any except X-Series

When you create a system policy, you assign it a name and a description. Next, you configure the various aspects of the policy, each of which is described in its own section.

Instead of creating a new policy, you can export a system policy from another appliance and then import it onto your appliance. You can then edit the imported policy to suit your needs before you apply it. For more information, see Importing and Exporting Configurations.

To create a system policy:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

The Policy Name column includes the system policy’s description. The Applied To column indicates the number of appliances where the policy is applied and a count of out-of-date appliances where the previously applied policy has changed and should be reapplied.

Step 2 Click Create Policy .

The Create Policy page appears.

Step 3 From the drop-down list, select an existing policy to use as a template for your new system policy.

Step 4 Type a name for your new policy in the New Policy Name field.

Step 5 Type a description for your new policy in the New Policy Description field.

Step 6 Click Create .

Your system policy is saved and the Edit System Policy page appears. For information about configuring each aspect of the system policy, see one of the following sections:


 

Editing a System Policy

License: Any

Supported Devices: Any except X-Series

You can edit an existing system policy. If you edit a system policy that is currently applied to an appliance, reapply the policy after you have saved your changes. For more information, see Applying a System Policy.

To edit an existing system policy:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears, including a list of the existing system policies.

Step 2 Click the edit icon ( ) next to the system policy that you want to edit.

The Edit Policy page appears. You can change the policy name and policy description. For information about configuring each aspect of the system policy, see one of the following sections:


Note If you are editing a system policy applied to an appliance, make sure you reapply the updated policy when you are finished. See Applying a System Policy.


Step 3 Click Save Policy and Exit to save your changes. The changes are saved, and the System Policy page appears.


 

Applying a System Policy

License: Any

Supported Devices: Any except X-Series

You can apply a system policy to an appliance. If a system policy is already applied, any changes you make do not take effect until you reapply it.


Note You cannot apply a system policy to Cisco NGIPS for Blue Coat X-Series.


To apply a system policy:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 Click the apply icon ( ) next to the system policy that you want to apply.

The Apply page appears.

Step 3 Select the appliances to which you want to apply the system policy.


Tip You can sort the appliances by group, model, health policy, or applied system policy. You can select either an individual appliance or an entire group.


Step 4 Click Apply .

The System Policy page appears. A message indicates the status of applying the system policy.


 

Comparing System Policies

License: Any

Supported Devices: Any except X-Series

You can compare two system policies or two revisions of the same system policy, subject to the system policies you can access. This allows you to review policy changes for compliance with your organization’s standards, or for optimization of system performance. To quickly compare your active system policy to another, you can select the Running Configuration option. Optionally, after you compare, you can generate a PDF report to record the differences between the system policies or system policy revisions.

There are two tools you can use to compare system policies or system policy revisions:

  • The comparison view displays the differences between two system policies or system policy revisions in a side-by-side format. The name of each policy or policy revision appears in the title bar on the left and right sides of the comparison view.

You can use this to view and navigate both policy revisions on the web interface, with their differences highlighted.

  • The comparison report creates a record of the differences between two system policies or system policy revisions in a format similar to the system policy report, but in PDF format.

You can use this to save, copy, print, and share your policy comparisons for further examination.

Using the System Policy Comparison View

License: Any

Supported Devices: Any except X-Series

The comparison view displays both system policies or policy revisions in a side-by-side format, with each policy or policy revision identified by name in the title bar on the left and right sides of the comparison view. For all revisions, the system policy comparison view displays the time of last modification and the last user to the right of the policy name.

Differences between the two system policies or policy revisions are highlighted:

  • Blue indicates that the highlighted setting is different in the two policies or policy revisions, and the difference is noted in red text.
  • Green indicates that the highlighted setting appears in one policy or policy revision, but not the other.

You can perform any of the actions in the following table.

 

Table 63-1 System Policy Comparison View Actions

To...
You can...

navigate individually through changes

select Previous or Next above the title bar.

The double-arrow icon ( ) centered between the left and right sides moves, and the Difference number adjusts to identify which difference you are viewing.

generate a new system policy comparison view

select New Comparison .

The Select Comparison window appears. See Using the System Policy Comparison Report for more information.

generate a system policy comparison report

select Comparison Report .

The system policy comparison report is a PDF that contains information identical to the system policy comparison view.

Using the System Policy Comparison Report

License: Any

Supported Devices: Any except X-Series

A system policy comparison report is a record of all differences between two system policies or two revisions of the same system policy identified by the system policy comparison view, presented in PDF format. You can use this report to further examine the differences between two system policy configurations and to save and disseminate your findings.

You can generate a system policy comparison report from the comparison view for any system policies to which you have access. Changes you make to a system policy do not appear in the system policy comparison report until you save the changes.

Depending on your configuration, a system policy comparison report can contain one or more sections. Each section uses the same format and provides the same level of detail. Note that the Value A and Value B columns represent the policies or policy revisions you configured in the comparison view.


Tip You can use a similar procedure to compare SSL, network analysis, intrusion, file, access control, or health policies.


To compare two system policies or two revisions of the same policy:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 Click Compare Policies .

The Select Comparison pop-up window appears.

Step 3 From the Compare Against drop-down list, select the type of comparison you want to make:

    • To compare two different policies, select Other Policy .
    • To compare two revisions of the same policy, select Other Revision .
    • To compare another policy to a currently active policy, select Running Configuration.

Step 4 Depending on the comparison type you selected, you have the following choices:

    • If you are comparing two different policies, select the policies you want to compare from the Policy A and Policy B drop-down lists.
    • If you are comparing two revisions of the same policy, select the policy from the Policy drop-down list, then select the revisions you want to compare from the Revision A and Revision B drop-down lists.
    • If you are comparing a running configuration to another policy, select the running configuration from the Target/Running Configuration A drop-down list, and the other policy from the Policy B drop-down list.

Step 5 Click OK to display the system policy comparison view.

The comparison view appears.

Step 6 Click Comparison Report to generate the system policy comparison report.

The system policy comparison report appears. Depending on your browser settings, the report may appear in a pop-up window, or you may be prompted to save the report to your computer.


 

Deleting System Policies

License: Any

Supported Devices: Any except X-Series

You can delete a system policy, even if it is in use. If the policy is still in use, it is used until a new policy is applied. Default system policies cannot be deleted.

To delete a system policy:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 Click the delete icon ( ) next to the system policy that you want to delete. To delete the policy, click OK.

The System Policy page appears. A pop-up message appears, confirming the policy deletion.


 

Configuring a System Policy

License: Any

Supported Devices: Any except X-Series

You can configure various system policy settings. For information about configuring each aspect of the system policy, see one of the following sections:

Configuring Access Control Policy Preferences

License: Protection

Supported Devices: Any except X-Series

You can configure the system to prompt users for a comment when they add or modify a rule in an access control policy, prompting them to enter a rule comment. You can use this to track users’ reasons for policy changes. If you enable comments on access control rule changes, you can make the rule comment optional or mandatory. The system prompts the user for a comment when each new change to a rule is saved.

The system adds the comment to the rule’s comment history when the user saves the rule. For more information, see Adding Comments to a Rule.

To configure the access control policy rule comment settings:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the access control policy settings in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the access control policy settings as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Click Access Control Preferences .

The Access Control Preferences page appears.

Step 4 You have the following options:

    • Select Disabled from the drop-down list to allow users to add or modify a rule in an access control policy without entering a comment.
    • Select Optional from the drop-down list to display the Description of Changes (Optional) window to users when they save changes to access control policy rules. This allows users the option to describe changes in a comment.
    • Select Required from the drop-down list to display the Description of Changes (Required) window to users when they save changes to access control policy rules. This requires users to describe changes in a comment before the changes are saved.

Step 5 Click Save Policy and Exit.

The system policy is updated. Your changes do not take effect until you apply the system policy. See Applying a System Policy for more information.


 

Configuring the Access List for Your Appliance

License: Any

Supported Devices: Any except X-Series

The Access List page allows you to control which computers can access your appliance on specific ports. By default, port 443 (Hypertext Transfer Protocol Secure, or HTTPS), which is used to access the web interface, and port 22 (Secure Shell, or SSH), which is used to access the command line, are enabled for any IP address. You can also add SNMP access over port 161. Note that you must add SNMP access for any computer you plan to use to poll for SNMP information.


Caution By default, access to the appliance is not restricted. To operate the appliance in a more secure environment, consider adding access to the appliance for specific IP addresses and then deleting the default any option.

The access list is part of the system policy. You can specify the access list either by creating a new system policy or by editing an existing system policy. In either case, the access list does not take effect until you apply the system policy.

Note that this access list does not also control external database access. For more information on the external database access list, see Enabling Access to the Database.

To configure the access list:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the access list in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the access list as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Optionally, to delete one of the current settings, click the delete icon ( ).

The setting is removed.


Caution If you delete access for the IP address that you are currently using to connect to the appliance interface, and there is no entry for “IP=any port=443”, you will lose access to the system when you apply the policy.

Step 4 Optionally, to add access for one or more IP addresses, click Add Rules .

The Add IP Address page appears.

Step 5 In the IP Address field, you have the following options, depending on the IP addresses you want to add:

    • an exact IP address (for example, 192.168.1.101 )
    • an IP address block using CIDR notation (for example, 192.168.1.1/24 )

For information on using CIDR in the FireSIGHT System, see IP Address Conventions.

    • any , to designate any IP address

Step 6 Select SSH , HTTPS , SNMP , or a combination of these options to specify which ports you want to enable for these IP addresses.

Step 7 Click Add .

The Access List page appears again, reflecting the changes you made.

Step 8 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy. See Applying a System Policy for more information.


 

Configuring Audit Log Settings

License: Any

Supported Devices: Any except X-Series

You can configure the system policy so that the appliance streams an audit log to an external host.


Note You must ensure that the external host is functional and accessible from the appliance sending the audit log.


The sending host name is part of the information sent. You can further identify the audit log stream with a facility, a severity, and an optional tag. The appliance does not send the audit log until you apply the system policy.

After you apply a policy with this feature enabled, and your destination host is configured to accept the audit log, the syslog messages are sent. The following is an example of the output structure:

Date Time Host [ Tag ] Sender: [ User_Name ]@[ User_IP ], [ Subsystem ], [ Action ]

where the local date, time, and hostname precede the bracketed optional tag, and the sending device name precedes the audit log message.

For example:

Mar 01 14:45:24 localhost [ TAG ] Dev-DC3000: admin@10.1.1.2, Operations > Monitoring, Page View

To configure the audit log settings:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the audit log settings in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the audit log settings as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Click Audit Log Settings .

The Audit Log Settings page appears.

Step 4 Select Enabled from the Send Audit Log to Syslog drop-down menu. (The default setting is Disabled .)

Step 5 Designate the destination host for the audit information by using the IP address or the fully qualified name of the host in the Host field. The default port (514) is used.


Caution If the computer you configure to receive an audit log is not set up to accept remote messages, the host will not accept the audit log.

Step 6 Select a syslog facility from the Facility field.

Step 7 Select a severity from the Severity field.

Step 8 Optionally, insert a reference tag in the Tag (optional) field.

Step 9 To send regular audit log updates to an external HTTP server, select Enabled from the Send Audit Log to HTTP Server drop-down list. The default setting is Disabled .

Step 10 In the URL to Post Audit field, designate the URL where you want to send audit information. You must enter an URL that corresponds to a listener program that expects the HTTP POST variables as listed:

    • subsystem
    • actor
    • event_type
    • message
    • action_source_ip
    • action_destination_ip
    • result
    • time
    • tag (if defined, as above)

Caution To allow encrypted posts, you must use an HTTPS URL. Note that sending audit information to an external URL may affect system performance.

Step 11 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy to the Defense Center and its managed devices. See Applying a System Policy for more information.


 

Enabling External Authentication

License: Any

Supported Devices: Any except X-Series

Normally, when a user logs into an appliance, the appliance verifies user credentials by comparing the credentials to a user account stored in the appliance’s local database. However, if you create an authentication object referencing an external authentication server, you can enable external authentication in the system policy to let users logging into the Defense Center or managed device authenticate to that server, rather than using the local database.

When you apply a system policy with external authentication enabled to an appliance, the appliance verifies the user credentials against users on an LDAP or RADIUS server. In addition, if a user has local, internal authentication enabled and the user credentials are not found in the internal database, the appliance then checks the external server for a set of matching credentials. If a user has the same username on multiple systems, all passwords across all servers work. Note, however, that if authentication fails on the available external authentication servers, the appliance does not revert to checking the local database.

When you enable external authentication, you can set the default user role for any user whose account is externally authenticated. You can select multiple roles, as long as those roles can be combined. For example, if you enable external authentication that retrieves only users in the Network Security group in your company, you may set the default user role to include the Security Analyst role so users can access collected event data without any additional user configuration on your part. However, if your external authentication retrieves records for other personnel in addition to the security group, you would probably want to leave the default role unselected. For more information on available user roles, see Understanding User Privileges.

If no access role is selected, users can log in but cannot access any functionality. After a user attempts to log in, their account is listed on the User Management page, where you can edit the account settings to grant additional permissions. For more information on modifying a user account, see Modifying User Privileges and Options.


Tip If you configure the system policy to use one user role and apply the policy, then later modify the policy to use different default user roles and reapply, any user accounts created before the modification retain the first user role until you modify the accounts, or delete and recreate them.


If you want to specify the set of users who can successfully authenticate against the LDAP server for shell access, you must set the shell access attribute and other settings within an LDAP authentication object before enabling external authentication in a system policy. For more information, see Configuring LDAP-Specific Parameters and Understanding Shell Access.

If you want to specify the set of users who can successfully authenticate against the LDAP server for CAC authentication and authorization, you must set the UI access attribute, user name template, and other settings in an LDAP authentication object before you enable external authentication in a system policy. For more information, see Configuring LDAP-Specific Parameters and Understanding LDAP Authentication With CAC.


Note If you want to enable both shell access and CAC authentication on an appliance, you must create separate authentication objects and enable them separately in your system policy.


After you finish customizing your authentication object, you must enable external authentication in a system policy on your Defense Center and then push that policy to managed devices. After you apply the policy to a device, eligible externally authenticated users can log into that device. To make changes to your external authentication settings, you have to modify the system policy on the Defense Center, and then apply the policy to the device again. To disable authentication on a managed device, you can disable it in a system policy on the Defense Center and push that to the device.

Note that you can only enable external authentication on physical and virtual Defense Centers and managed devices. Enabling external authentication by applying a system policy is not supported on Cisco NGIPS for Blue Coat X-Series.

If a user with internal authentication attempts to log in, the appliance first checks if that user is in the local user database. If the user exists, the appliance then checks the username and password against the local database. If a match is found, the user logs in successfully. If the login fails, however, and external authentication is enabled, the appliance checks the user against each external authentication server in the authentication order shown in the system policy. If the username and password match results from an external server, the appliance changes the user to an external user with the default privileges for that authentication object.

If an external user attempts to log in, the appliance checks the username and password against the external authentication server. If a match is found, the user logs in successfully. If the login fails, the user login attempt is rejected. External users cannot authenticate against the user list in the local database. If the user is a new external user, an external user account is created in the local database with the default privileges from the external authentication object.

To enable authentication of users on external servers:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify your external authentication settings in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure your external authentication settings as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Click External Authentication .

The External Authentication page appears.

Step 4 From the Status drop-down list, select Enabled .

Step 5 From the Default User Role drop-down list, select user roles to define the default permissions you want to grant to externally authenticated users.


Tip Press Ctrl before selecting roles to select multiple default user roles. Note that although you can select both a Security Analyst role and the corresponding Security Analyst (Read Only) role, only the Security Analyst role is applied.


Step 6 If you want to use the external server to authenticate shell access accounts as well, select Enabled from the Shell Authentication drop-down list.

Step 7 If you want to enable CAC authentication and authorization, select an available CAC authentication object from the CAC Authentication drop-down list.

For the complete procedure for configuring CAC authentication and authorization, see Understanding LDAP Authentication With CAC.

Step 8 To enable use of a preconfigured authentication object, select the check box next to the object. You must select at least one authentication object to enable external authentication.


Tip If you enabled shell authentication in step 6, you must select an authentication object configured to allow shell access. Note that you must use different authentication objects to manage shell access and CAC authentication in the same system policy. For more information, see Understanding Shell Access and Understanding LDAP Authentication With CAC.


Step 9 Optionally, use the up and down arrows to change the order in which authentication servers are accessed when an authentication request occurs.


Note Remember that shell access users can only authenticate against the server whose authentication object is highest in the profile order.


Step 10 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy to the Defense Center and its managed devices. See Applying a System Policy for more information.


 

Configuring Dashboard Settings

License: Any

Supported Devices: Any except X-Series

You can configure the system policy so that Custom Analysis widgets are enabled on the dashboard. Dashboards provide you with at-a-glance views of current system status through the use of widgets: small, self-contained components that provide insight into different aspects of the FireSIGHT System.

The Custom Analysis widget allows you to create a visual representation of events based on a flexible, user-configurable query of the events in your appliance's database. See Understanding the Custom Analysis Widget for more information on how to use custom widgets.

To enable Custom Analysis widgets:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the dashboard settings in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the dashboard settings as part of a new system policy, click Create Policy . Provide a name and description for the system policy as described in Creating a System Policy, and click Save.

In either case, the Access List page appears.

Step 3 Click Dashboard.

The Dashboard Settings page appears.

Step 4 Select the Enable Custom Analysis Widgets check box to allow users to add Custom Analysis widgets to dashboards. Clear the check box to prohibit users from using those widgets.

Step 5 Click Save Policy and Exit.

The system policy is updated. Your changes do not take effect until you apply the system policy. See Applying a System Policy for more information.


 

Configuring Database Event Limits

License: Any

Supported Devices: Any except X-Series

Use the Database page to specify the maximum number of each type of event that the Defense Center can store. Note that the setting for audit records also applies to managed devices. To improve performance, you should tailor event limits to the number of events you regularly work with. For some event types, you can disable storage. The following table lists the minimum and maximum number of records you can store for each event type.

 

Table 63-2 Database Event Limits

Event Type
Upper Event Limit
Lower Event Limit

intrusion events

2.5 million (DC500)
10 million (DC1000, virtual Defense Center)
20 million (DC750)
30 million (DC1500)
60 million (DC2000)
100 million (DC3000)
150 million (DC3500)
300 million (DC4000)

10,000

discovery events

10 million
20 million (DC2000, DC4000)

zero (disables storage)

connection events

Security Intelligence Events

10 million (DC500, DC1000, virtual Defense Center)
50 million (DC750)
100 million (DC1500, DC3000)
300 million (DC2000)
500 million (DC3500)
1 billion (DC4000)

Upper event limit is shared between connection events and Security Intelligence events; the sum of configured maximums for the two events cannot exceed the upper event limit.

zero (disables storage)

connection summaries (aggregated connection events)

10 million (DC500, DC1000, virtual Defense Center)
50 million (DC750)
100 million (DC1500, DC3000)
300 million (DC2000)
500 million (DC3500)
1 billion (DC4000)

zero (disables storage)

correlation and compliance white list events

1 million
2 million (DC2000, DC4000)

one

malware events

10 million
20 million (DC2000, DC4000)

10,000

file events

10 million
20 million (DC2000, DC4000)

zero (disables storage)

health events

1 million

zero (disables storage)

audit records

100,000

one

remediation status events

10 million

one

the white list violation history of the hosts on your network

a 30-day history of violations

one day’s history

user activity (user events)

10 million

one

user logins (user history)

10 million

one

rule update import log records

1 million

one

If the number of events in the intrusion event database exceeds the maximum, the oldest events and packet files are pruned until the database is back within the event limits. See Configuring a Mail Relay Host and Notification Address for information about generating automated email notifications when events are automatically pruned.

For information on manually pruning the discovery and user databases, see Purging Discovery Data from the Database.

In addition, you can configure an email address that will receive notifications when intrusion events and audit records are pruned from the database.

To configure the maximum number of records in the database:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the database settings in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the database settings as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access Control Preferences page appears.

Step 3 Click Database .

The Database page appears.

Step 4 For each of the databases, enter the number of records you want to store.

For information on how many records each database can maintain, see the Database Event Limits table.

Step 5 Optionally, in the Data Pruning Notification Address field, enter the email address you want to receive notifications when intrusion events, discovery events, audit records, security intelligence data, or URL filtering data are pruned from the appliance’s database.

Note that you must also configure an email server. See Configuring a Mail Relay Host and Notification Address for more information.

Step 6 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy. See Applying a System Policy for more information.


 

Configuring DNS Cache Properties

License: Any

Supported Devices: Any except X-Series

If you have a DNS server configured on the Network page, you can configure the appliance to resolve IP addresses automatically on the event view pages. As a user assigned the Administrator role, you can also configure basic properties for DNS caching performed by the appliance. Configuring DNS caching allows you to identify IP addresses you previously resolved without performing additional lookups. This can reduce the amount of traffic on your network and speed the display of event pages when IP address resolution is enabled.

To configure the DNS cache properties:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the DNS cache settings in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the DNS cache settings as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Click DNS Cache .

The DNS Cache page appears.

Step 4 Select Enabled from the DNS Resolution Caching drop-down list to enable caching. Select Disabled to disable it.


Note DNS resolution caching is a system-wide setting that allows the caching of previously resolved DNS lookups. To configure IP address resolution on a per-user-account basis, users must also select Event View Settings from the User Preferences menu, enable Resolve IP Addresses, and then click Save. For information about configuring DNS servers, see Configuring Management Interfaces. For information about configuring event view preferences, see Configuring Event View Settings.


Step 5 In the DNS Cache Timeout (in minutes) field, enter the number of minutes a DNS entry remains cached in memory before it is removed for inactivity.

The default setting is 300 minutes (five hours).

Step 6 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy. See Applying a System Policy for more information.


Caution Although DNS caching is enabled for the appliance, IP address resolution is not enabled on a per-user basis unless it is configured on the Events page accessed from the User Preferences menu.


 

Configuring a Mail Relay Host and Notification Address

License: Any

Supported Devices: Any except X-Series

You must configure a mail host if you plan to:

  • email event-based reports
  • email status reports for scheduled tasks
  • email change reconciliation reports
  • email data pruning notifications
  • use email for discovery event, impact flag, and correlation event alerting
  • use email for intrusion event alerting
  • use email for health event alerting

You can select an encryption method for the communication between appliance and mail relay host, and can supply authentication credentials for the mail server if needed. After configuring settings, you can test the connection between the appliance and the mail server using the supplied settings.

To configure a mail relay host:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the email settings in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the email settings as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Click Email Notification .

The Configure Email Notification page appears.

Step 4 In the Mail Relay Host field, type the hostname or IP address of the mail server you want to use.


Note The mail host you enter must allow access from the appliance.


Step 5 Enter the port number to use on the email server in the Port Number field. Typical ports include 25, when using no encryption, 465, when using SSLv3, and 587, when using TLS.

Step 6 To select an encryption method, you have the following options:

    • To encrypt communications between the appliance and the mail server using Transport Layer Security, select TLS from the Encryption Method drop-down list.
    • To encrypt communications between the appliance and the mail server using Secure Socket Layers, select SSLv3 from the Encryption Method drop-down list.
    • To allow unencrypted communication between the appliance and the mail server, select None from the Encryption Method drop-down list.

Note that certificate validation is not required for encrypted communication between the appliance and mail server.

Step 7 Enter a valid email address in the From Address field for use as the source email address for messages sent by the appliance.

Step 8 Optionally, to supply a user name and password when connecting to the mail server, select Use Authentication . Enter a user name in the Username field. Enter a password in the Password field.

Step 9 To send a test email using the configured mail server, click Test Mail Server Settings .

A message appears next to the button indicating the success or failure of the test.

Step 10 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy. See Applying a System Policy for more information.


 

Configuring Network Analysis Policy Preferences

License: Protection

Supported Devices: Any except X-Series

You can configure the system to prompt users for a comment when they modify a network analysis policy. You can use this to track users’ reasons for policy changes. If you enable comments on network analysis policy changes, you can make the comments optional or mandatory. The change description is written to the audit log.

You can also have all network analysis policy changes written to the audit log. For more information on the audit log, see Managing Audit Records.

To configure the network analysis policy comment settings:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the network analysis policy preferences in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the network analysis policy preferences as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Click Network Analysis Policy Preferences .

The Network Analysis Policy Preferences page appears.

Step 4 From the Comments on policy change drop-down list, you have the following options:

    • Select Disabled to allow users to modify a network analysis policy without entering a change description.
    • Select Optional to display the Description of Changes window to users when they save changes to a network analysis policy. This allows users the option to describe changes in a comment.
    • Select Required to display the Description of Changes window to users when they save changes to a network analysis policy. This requires users to describe changes in a comment before the changes are saved.

Step 5 Optionally, if you want to write all network analysis policy changes to the audit log, select Write changes in Network Analysis Policy to audit log .

Step 6 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy. See Applying a System Policy for more information.


 

Configuring Intrusion Policy Preferences

License: Protection

Supported Devices: Any except X-Series

You can configure the system to prompt users for a comment when they modify an intrusion policy. You can use this to track users’ reasons for policy changes. If you enable comments on intrusion policy changes, you can make the comments optional or mandatory. The change description is written to the audit log.

You can also have all intrusion policy changes written to the audit log. For more information on the audit log, see Managing Audit Records.

To configure the intrusion policy comment settings:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the intrusion policy preferences in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the intrusion policy preferences as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Click Intrusion Policy Preferences .

The Intrusion Policy Preferences page appears.

Step 4 From the Comments on policy change drop-down list, you have the following options:

    • Select Disabled to allow users to modify an intrusion policy without entering a change description.
    • Select Optional to display the Description of Changes window to users when they save changes to an intrusion policy. This allows users the option to describe changes in a comment.
    • Select Required to display the Description of Changes window to users when they save changes to an intrusion policy. This requires users to describe changes in a comment before the changes are saved.

Step 5 Optionally, if you want to write all intrusion policy changes to the audit log, select Write changes in Intrusion Policy to audit log .

Step 6 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy. See Applying a System Policy for more information.


 

Specifying a Different Language

License: Any

Supported Devices: Any except X-Series

You can use the Language page to specify a different language for the web interface.


Caution The language you select here is used for the web interface for every user who logs into the appliance.

To select a different language for the user interface:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the language settings in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the language settings as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Click Language .

The Language page appears.

Step 4 Select the language you want to use.

Step 5 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy. See Applying a System Policy for more information.


 

Adding a Custom Login Banner

License: Any

Supported Devices: Any except X-Series

You can create a custom login banner that appears when users log into the appliance using SSH and on the login page of the web interface. Banners can contain any printable characters except the less-than symbol (<) and the greater-than symbol (>).

To add a custom banner:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the login banner in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the login banner as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Click Login Banner .

The Login Banner page appears.

Step 4 In the Custom Login Banner field, enter the login banner you want to use with this system policy.

Step 5 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy. See Applying a System Policy for more information.


 

Configuring SNMP Polling

License: Any

Supported Devices: Any except X-Series

You can enable Simple Network Management Protocol (SNMP) polling of an appliance using the system policy. The SNMP feature supports use of versions 1, 2, and 3 of the SNMP protocol.

This feature allows access to:

  • the standard management information base (MIB) for the appliance, which includes system details such as contact, administrative, location, service information, IP addressing and routing information, and transmission protocol usage statistics
  • additional MIBs for managed devices that include statistics on traffic passing through physical interfaces, logical interfaces, virtual interfaces, ARP, NDP, virtual bridges, and virtual routers

Note that enabling the system policy SNMP feature does not cause the appliance to send SNMP traps; it only makes the information in the MIBs available for polling by your network management system.


Note You must add SNMP access for any computer you plan to use to poll the appliance. For more information, see Configuring the Access List for Your Appliance. Note that the SNMP MIB contains information that could be used to attack your appliance. Cisco recommends that you restrict your access list for SNMP access to the specific hosts that will be used to poll for the MIB. Cisco also recommends you use SNMPv3 and use strong passwords for network management access.


To configure SNMP polling:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the SNMP polling settings in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the SNMP polling settings as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Create .

In either case, the Access List page appears.

Step 3 If you have not already added SNMP access for each computer you plan to use to poll the appliance, do so now. For more information, see Configuring the Access List for Your Appliance.

Step 4 Click SNMP .

The SNMP page appears.

Step 5 From the SNMP Version drop-down list, select the SNMP version you want to use.

The drop-down list displays the version you selected.

Step 6 You have the following options:

    • If you selected Version 1 or Version 2 , type the SNMP community name in the Community String field. Go to step 15 .

Note SNMPv2 only supports read-only communities.


    • If you selected Version 3 , click Add User to display the user definition page.

Note SNMPv3 only supports read-only users. SNMPv3 also supports encryption with AES128.


Step 7 Enter a username in the Username field.

Step 8 Select the protocol you want to use for authentication from the Authentication Protocol drop-down list.

Step 9 Type the password required for authentication with the SNMP server in the Authentication Password field.

Step 10 Retype the authentication password in the Verify Password field just below the Authentication Password field.

Step 11 Select the privacy protocol you want to use from the Privacy Protocol list, or select None to not use a privacy protocol.

Step 12 Type the SNMP privacy key required by the SNMP server in the Privacy Password field.

Step 13 Retype the privacy password in the Verify Password field just below the Privacy Password field.

Step 14 Click Add .

The user is added. You can repeat steps 6 through 13 to add additional users. Click the delete icon ( ) to delete a user.

Step 15 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy. See Applying a System Policy for more information.


 

Enabling STIG Compliance

License: Any

Supported Devices: Any except X-Series

Organizations within the United States federal government sometimes need to comply with a series of security checklists set out in Security Technical Implementation Guides (STIGs). The STIG Compliance option enables settings intended to support compliance with specific requirements set out by the United States Department of Defense.

If you enable STIG compliance on any appliances in your deployment, you must enable it on all appliances. Non-compliant managed devices cannot be registered to STIG-compliant Defense Centers and STIG-compliant devices cannot be registered to non-compliant Defense Centers.

Enabling STIG compliance does not guarantee strict compliance to all applicable STIGs. For more information on FireSIGHT System STIG compliance when using this mode for this version of the product, contact Support to obtain a copy of the FireSIGHT System STIG Release Notes for Version 5.4.1.

When you enable STIG compliance, password complexity and retention rules for local shell access accounts change. For more information on these settings, see the FireSIGHT System STIG Release Notes for Version 5.4.1. In addition, you cannot use ssh remote storage when in STIG compliance mode.

Note that applying a system policy with STIG compliance enabled forces appliances to reboot. If you apply a system policy with STIG enabled to an appliance that already has STIG enabled, the appliance does not reboot. If you apply a system policy with STIG disabled to an appliance that has STIG enabled, STIG remains enabled and the appliance does not reboot.

For appliances upgraded from versions earlier than Version 5.2.0, applying a policy with compliance enabled also regenerates appliance certificates, so you will need to re-register already registered managed devices or peers.


Caution You cannot disable this setting without assistance from Support. In addition, this setting may substantially impact the performance of your system. Cisco does not recommend enabling STIG compliance except to comply with Department of Defense security requirements.

To enable STIG compliance:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the time settings in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the time settings as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Click STIG Compliance .

The STIG Compliance page appears.

Step 4 If you want to permanently enable STIG compliance on the appliance, select Enable STIG Compliance .


Caution You cannot disable STIG compliance on an appliance after you apply a policy with STIG compliance enabled. If you need to disable compliance, contact Support.

Step 5 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy. See Applying a System Policy for more information.

When you apply a system policy that enables STIG compliance to an appliance, note that the appliance reboots. Note that if you apply a system policy with STIG enabled to an appliance that already has STIG enabled, the appliance does not reboot.

In addition, you need to re-register devices after enabling STIG compliance if the devices were upgraded from versions earlier than Version 5.2.0.


 

Synchronizing Time

License: Any

Supported Devices: Any except X-Series

You can manage time synchronization on the appliance using the Time Synchronization page. You can choose to synchronize the time:

  • manually
  • using one or more NTP servers (one of which can be a Defense Center)

Time settings are part of the system policy. You can specify the time settings either by creating a new system policy or by editing an existing policy. In either case, the time setting is not used until you apply the system policy.

Note that time settings are displayed on most pages on the appliance in local time using the time zone you set on the Time Zone page (America/New York by default), but are stored on the appliance itself using UTC time. In addition, the current time appears in UTC at the top of the Time Synchronization page (local time is displayed in the Manual clock setting option, if enabled).

You must use native applications, such as command line interfaces or the operating system interface, to manage time settings for Cisco NGIPS for Blue Coat X-Series. Synchronize time for Cisco NGIPS for Blue Coat X-Series and its managing Defense Center from the same physical appliance or NTP server. For more information, see the Cisco Software for X-Series Installation Guide .

You can synchronize the appliance’s time with an external time server. If you specify a remote NTP server, your appliance must have network access to it. Do not specify an untrusted NTP server. Connections to NTP servers do not use configured proxy settings. To use the Defense Center as an NTP server, see Serving Time from the Defense Center.

Cisco recommends that you synchronize your virtual appliances to a physical NTP server. Do not synchronize your managed devices (virtual or physical) to a Virtual Defense Center.


Note Ensure that the time on your Defense Center and managed devices matches after time synchronization. Otherwise, unintended consequences may occur when the managed devices communicate with the Defense Center.


The procedure for synchronizing time differs slightly depending on whether you are using the web interface on a Defense Center or a managed device. Each procedure is explained separately below.

To synchronize time:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the time settings in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the time settings as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Click Time Synchronization .

The Time Synchronization page appears.

Step 4 If you want to serve time from the Defense Center to your managed devices, in the Serve time via NTP drop-down list, select Enabled .

Step 5 You have the following options for specifying how the time is synchronized on the Defense Center:

    • To set the time manually, select Manually in Local Configuration . See Setting the Time Manually for information about setting the time after you apply the system policy.
    • To receive time through NTP from a different server, select Via NTP from and, in the text box, type a comma-separated list of IP addresses for the NTP servers you want to use or, if DNS is enabled, type the fully qualified host and domain names.

Caution If the appliance is rebooted and your DHCP server sets an NTP server record different than the one you specify here, the DHCP-provided NTP server will be used instead. To avoid this situation, configure your DHCP server to set the same NTP server.

Step 6 You have the following options for specifying how time is synchronized on any managed devices:

    • Select Manually in Local Configuration to set the time manually. See Setting the Time Manually for information about setting the time after you apply the system policy.
    • Select Via NTP from Defense Center to receive time through NTP from the Defense Center. See Serving Time from the Defense Center for more information.
    • Select Via NTP from to receive time through NTP from different servers. In the text box, type a comma-separated list of IP addresses of the NTP servers or, if DNS is enabled, type the fully qualified host and domain names.

Note It may take a few minutes for the managed device to synchronize with the configured NTP servers. In addition, if you are synchronizing the managed device to a Defense Center that is configured as an NTP server, and the Defense Center itself is configured to use an NTP server, it may take some time for the time to synchronize. This is because the Defense Center must first synchronize with its configured NTP server before it can serve time to the managed device.


Step 7 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy. See Applying a System Policy for more information.


 

Serving Time from the Defense Center

License: Any

Supported Devices: Any except X-Series

You can configure the Defense Center as a time server using NTP and then use it to synchronize time between the Defense Center and managed devices.

Note that you cannot set the time manually after configuring the Defense Center to serve time using NTP. If you need to manually change the time, you should do so before configuring the Defense Center to serve time using NTP. If you need to change the time manually after configuring the Defense Center as an NTP server, disable the Via NTP option and click Save , change the time manually and click Save , and then enable Via NTP and click Save .


Note If you configure the Defense Center to serve time using NTP, and then later disable it, the NTP service on managed devices still attempts to synchronize time with the Defense Center. You must disable NTP from the managed devices’ web interfaces to stop the synchronization attempts.


To configure the Defense Center as an NTP server:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify the NTP server settings in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure the NTP server settings as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Click Time Synchronization .

The Time Synchronization page appears.

Step 4 From the Serve Time via NTP drop-down list, select Enabled .

Step 5 In the Set My Clock option for the managed device, select Via NTP from Defense Center .

Step 6 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy to the Defense Center and its managed devices. See Applying a System Policy for more information.


Note It may take a few minutes for the Defense Center to synchronize with its managed devices.



 

Configuring User Interface Settings

License: Any

Supported Devices: Any except X-Series

Unattended login sessions of the FireSIGHT System web interface or command line interface may be security risks. You can configure, in minutes, the amount of idle time before a user’s login session times out due to inactivity. You can also set a similar timeout for shell (command line) sessions.

Your deployment may have users who plan to passively, securely monitor the web interface for long periods of time. You can exempt users from the web interface session timeout with a user configuration option. (Users with the Administrator role, whose complete access to menu options poses an extra risk if compromised, cannot be made exempt from session timeouts.) For more information, see Managing User Login Settings.

For cases in which you must restrict shell access to the system, a third option allows you to permanently disable the expert command in the command line. Disabling expert mode on an appliance prevents any user, even users with Configuration shell access, from going into expert mode in the shell. When a user goes into expert mode on the command line, the user can run any Linux command appropriate to the shell. When not in expert mode, command line users can only run the commands provided by the command line interface. Note that the command line interface is not supported for Series 2 appliances.

For more information on command line interface commands, see Command Line Reference. For information on setting up users for command line access, see Managing Command Line Access and Command Line Reference (for virtual device CLI user management).

To configure user interface settings:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify user interface settings in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure user interface settings as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Click User Interface .

The User Interface page appears.

Step 4 You have the following options:

    • To configure session timeout for the web interface, type a number (of minutes) in the Browser Session Timeout (Minutes) field. The default value is 60 ; the maximum value is 1440 (24 hours).

For information on how to exempt users from this session timeout, see Managing User Login Settings.

    • To configure session timeout for the command line interface, type a number (of minutes) in the Shell Timeout (Minutes) field. The default value is 0 ; the maximum value is 1440 (24 hours).
    • To permanently disable the expert command in the command line interface, select the Permanently Disable Expert Access check box.

Caution After you apply a system policy with expert mode disabled to an appliance, you cannot restore the ability to access expert mode through the web interface or the command line. You must contact Support to restore the expert mode capability.

Step 5 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy to the Defense Center and its managed devices. Changes to session timeout intervals do not take effect until the next login session.


 

Mapping Vulnerabilities for Servers

License: Protection

Supported Devices: Any except X-Series

The FireSIGHT System automatically maps vulnerabilities to a host IP address for any application protocol traffic received or sent from that address, when the server has an application ID in the discovery event database and the packet header for the traffic includes a vendor and version.

However, many servers do not include vendor and version information. For the server listed in the system policy, you can configure whether the system associates vulnerabilities with server traffic for vendor and versionless servers.

For example, a host serves SMTP traffic that does not have a vendor or version in the header. If you enable the SMTP server on the Vulnerability Mapping page of a system policy, then apply that policy to the Defense Center managing the device that detects the traffic, all vulnerabilities associated with SMTP servers are added to the host profile for the host.

Although detectors collect server information and add it to host profiles, the application protocol detectors will not be used for vulnerability mapping, because you cannot specify a vendor or version for a custom application protocol detector and cannot select the server for vulnerability mapping in the system policy.

To configure vulnerability mapping for servers:

Access: Admin


Step 1 Select System > Local > System Policy .

The System Policy page appears.

Step 2 You have the following options:

    • To modify vulnerability mapping settings in an existing system policy, click the edit icon (
    ) next to the system policy.
    • To configure vulnerability mapping settings as part of a new system policy, click Create Policy .

Provide a name and description for the system policy as described in Creating a System Policy, and click Save .

In either case, the Access List page appears.

Step 3 Click Vulnerability Mapping .

The Vulnerability Mapping page appears.

Step 4 You have the following options:

    • To prevent vulnerabilities for a server from being mapped to hosts that receive application protocol traffic without vendor or version information, clear the check box for that server.
    • To cause vulnerabilities for a server to be mapped to hosts that receive application protocol traffic without vendor or version information, select the check box for that server.

Tip You can select or clear all check boxes at once using the check box next to Enabled.


Step 5 Click Save Policy and Exit .

The system policy is updated. Your changes do not take effect until you apply the system policy to the Defense Center and its managed devices. See Applying a System Policy for more information.