Cisco Success Network Telemetry Data Collected from Cisco Secure Firewall Management Center
Cisco Success Network allows enrolled FMC to continuously stream real-time configuration and operating state information to the Cisco Success Network cloud. This document provides a list of the collected and monitored data.
Enrolled Device Data
Once you enroll the FMC in Cisco Success Network, selected telemetry data about the enrolled FMC device is streamed to the Cisco cloud. The following table describes the collected and monitored data about the enrolled device. The data includes feature-specific information about intrusion policies (both system-provided and custom) and malware detection for enrolled FMCs.
Data Point | Example Value |
---|---|
Device Name |
Management Center East |
Device UUID |
24fd0ccf-1464- 491f-a503- d241317bb327 |
HA Peer UUID |
24fe0ccd-1564- 491h-b802- d321317cc827 |
Device Model |
Cisco Firepower Management Center 4000 Cisco Firepower Management Center for VMWare |
Serial Number |
9AMDESQP6UN |
System Uptime |
99700000 |
Product Identifier |
FS-VMW-SW-K9 |
Smart License PIID |
24fd0ccf-1464- 491f-a503- d241317bb327 |
Virtual Account Identifier |
CiscoSVStemp |
Smart LicenseVirtual Account Name |
FTD-ENG-SJC |
Software Version Data
Cisco Success Network collects software information that pertains to the enrolled FMC device, including software version, rule update version, geolocation database version, and vulnerability database version information. The following table describes the collected and monitored software information about the enrolled device.
Data Point | Example Value |
---|---|
FMC Software Version |
{ type: "SOFTWARE", version: "x.x.x.x" } |
Rule Update Version |
{version: "2016-11-29-001-vrt", lastUpdated: 1468606837000 } |
Vulnerability Database (VDB) Version |
{version: "271", lastUpdated: 1468606837000 } |
Geolocation Database Version |
{version: "850" } |
Managed Device Data
Cisco Success Network collects information about all the managed devices associated with an enrolled FMC. The following table describes the collected and monitored information about managed devices. This includes feature-specific policy and licensing information, such as URL filtering, intrusion prevention, and malware detection for managed devices.
Data Point | Example Value |
---|---|
Managed Device Name. |
firepower |
Managed Device Version. |
6.2.3-10616 |
Managed Device Manager. |
FMC |
Managed Device Model. |
Cisco Firepower 2130 NGFW Appliance Cisco FTD VMware |
Managed Device Serial Number. |
9AMDESQP6UN |
Managed Device PID. |
FPR2130-NGFW-K9 NGFWv |
Is URL Filtering License Used for Device? |
True |
AC Rules with URL Filtering Per Device. |
10 |
Number of AC Rules with URL Filtering That Use URL Filtering License. |
3 |
Number of AC Rules with URL Filtering That Use Threat License. |
3 |
Is Threat License Used for Device? |
True |
Does AC Policy Have Intrusion Rule Attached? |
True |
Number of AC Rules with Intrusion Policies. |
10 |
Is Malware License Used for Device? |
True |
Number of AC Rules with Malware Policy. |
10 |
Number of AC Rules with Malware Policy That Use Malware License. |
5 |
Is Threat Intelligence Director (TID) Used for Device? |
True |
Count of local URL items. |
{"url": "/api/local/fmc_config/v1/domain/{domainUUID}/object/networks", "count": 10}, {"url": "/api/local/fmc_platform/v1/info/serverversion", "count": 2} |
Deployment Information
After you configure your deployment, you must deploy the changes to the affected devices. The following table describes the collected and monitored data about configuration deployment, such as the number of devices affected and the status of deployments, including success and failure information.
Data Point | Example Value |
---|---|
Job ID |
8589936079 |
Number of Devices Selected for Deployment |
3 |
Number of Devices with Deployment Failure |
1 |
Number of Devices with Deployment Success |
2 |
End Time |
1523993913001 |
Start Time |
1523993840445 |
Status |
SUCCEEDED |
Target Device UUID |
4f14f644-41e0 -11e8-9354- cf32315d7095 |
Policy Types Deployed |
NetworkDiscovery NGFWPolicy DeviceConfiguration |
Last Deployment Job ID Collected in Current Run |
8589936079 |
Container Type (Standalone or HA Pair) |
STANDALONE HAPAIR |
Container UUID |
5e006633-30fe-11e9-8a70-cd88086eeac0 |
Device Model |
Cisco FTD for VMWare |
Device Version |
6.4.0 |
Policy Bundle Size |
3588153 |
Count of CSPA |
An integer value of 0 or greater |
Count of CSPA query |
An integer value of 0 or greater |
Count of CSPA group query |
An integer value of 0 or greater |
TLS/SSL Inspection Event Data
By default, the Firepower System cannot inspect traffic encrypted with the Secure Socket Layer (SSL) protocol or its successor, the Transport Layer Security (TLS) protocol. TLS/SSL inspection enables you to either block encrypted traffic without inspecting it, or inspect encrypted or decrypted traffic with access control. The following tables describe statistics shared with Cisco Success Network about encrypted traffic.
Handshake Process
When the system detects a TLS/SSL handshake over a TCP connection, it determines whether it can decrypt the detected traffic. As the system handles encrypted sessions, it logs details about the traffic.
Data Point | Example Value |
---|---|
The system reports the following applied actions when the traffic cannot be decrypted and is:
|
An integer value of 0 or greater |
The system reports the following applied actions when the traffic can be decrypted:
|
An integer value of 0 or greater |
Cache Data
After a TLS/SSL handshake completes, the managed device caches encrypted session data, which allows session resumption without requiring the full handshake. The managed device also caches server certificate data, which allows faster handshake processing in subsequent sessions.
Data Point | Example Value |
---|---|
The system caches encrypted session data and server certificate data, and reports on the cache per SSL connections, specifically:
|
An integer value of 0 or greater |
Is SSL Usage enabled on the FMC? |
True |
Certificate Status
The system evaluates encrypted traffic and reports the certificate status of the encrypting server.
Data Point | Example Value |
---|---|
The system evaluates encrypted traffic based on the certificate status of the encrypting server, and reports.
|
An integer value of 0 or greater |
Failure Reason
The system evaluates encrypted traffic and reports the failure reason when the system fails to decrypt traffic.
Data Point | Example Value |
---|---|
The system evaluates encrypted traffic and reports the failure reason when the system fails to decrypt traffic due to:
|
An integer value of 0 or greater |
Version
The system evaluates encrypted traffic and reports the negotiated TLS/SSL version per connection.
Data Point | Example Value |
---|---|
The system evaluates encrypted traffic and reports the negotiated version per SSL connections where:
|
An integer value of 0 or greater |
Snort Restart Data
When the traffic inspection engine referred to as the Snort process on a managed device restarts, inspection is interrupted until the process resumes. Creating or deleting a user-defined application, or activating or deactivating a system or custom application detector immediately restarts the Snort process without going through the deploy process. The system warns you that continuing restarts the Snort process and allows you to cancel; the restart occurs on any managed device in the current domain or in any of its child domains.
Data Point | Example Value |
---|---|
Count of snort restarts when you enable or disable a custom application detector. |
An integer value of 0 or greater |
Count of snort restarts when you create or modify a custom application detector. |
An integer value of 0 or greater |
Contextual Cross-Launch Data
The contextual cross-launch feature allows you to quickly find more information about potential threats in web-based resources outside of the FMC. You can click directly from an event in the event viewer or dashboard in the FMC to the relevant information in an external resource. This lets you quickly gather context around a specific event based on its IP addresses, ports, protocol, domain, and/or SHA 256 hash.
Data Point | Example Value |
---|---|
The count of the Contextual Cross-Launch resources configured on the FMC. |
An integer value of 0 or greater |
The count of the Contextual Cross-Launch resources enabled on the FMC. |
An integer value of 0 or greater |
The count of Contextual Cross-Launch instances containing a domain variable. |
An integer value of 0 or greater |
The count of Contextual Cross-Launch instances containing an IP variable. |
An integer value of 0 or greater |
The count of Contextual Cross-Launch instances containing a SHA 256 variable. |
An integer value of 0 or greater |
The count of src_ip |
An integer value of 0 or greater |
The count of dest_ip |
An integer value of 0 or greater |
The count of port |
An integer value of 0 or greater |
The count of protocol |
An integer value of 0 or greater |
The count of src_port |
An integer value of 0 or greater |
The count of dest_port |
An integer value of 0 or greater |
Telemetry Example File
The following is an example of a Cisco Success Network telemetry file for streaming policy and deployment information about a FMC and its managed devices:
{
"recordType" : "CST_FMC",
"recordVersion" : "6.4.0",
"recordedAt" : 1550467152050,
"fmc" : {
"deviceInfo" : {
"deviceModel" : "Cisco Firepower Management Center for VMWare",
"deviceName" : "firepower",
"deviceUuid" : "19952582-30cf-11e9-a090-503c97636361",
"serialNumber" : "None",
"smartLicenseProductInstanceIdentifier" : "aca246a5-6d51-4eb7-9fd2-118b177dc4de",
"smartLicenseVirtualAccountName" : "FTD-ENG-BLR",
"systemUptime" : 262007000,
"udiProductIdentifier" : "FS-VMW-SW-K9"
},
"versions" : {
"items" : [ {
"lastUpdated" : 0,
"type" : "SOFTWARE",
"version" : "6.4.0-1335"
}, {
"lastUpdated" : 0,
"type" : "SNORT_RULES_DB",
"version" : "2018-10-10-001-vrt"
}, {
"lastUpdated" : 1550200610000,
"type" : "VULNERABILITY_DB",
"version" : "309"
}, {
"lastUpdated" : 0,
"type" : "GEOLOCATION_DB",
"version" : "None"
} ]
}
},
"managedDevices" : {
"items" : [ {
"deviceInfo" : {
"deviceManager" : "FMC",
"deviceModel" : "Cisco Firepower Threat Defense for VMWare",
"deviceName" : "10.10.17.220",
"deviceVersion" : "6.4.0-1335",
"serialNumber" : "9AUVT5GTRPA"
},
"malware" : {
"malwareLicenseUsed" : false,
"numberOfACRulesNeedMalwareLicense" : 10,
"numberOfACRulesWithMalware" : 20
},
"sslUsage" : {
"isSSLEnabled" : false
},
"threat" : {
"acPolicyHasIntrusion" : true,
"acRulesWithIntrusion" : 20,
"isTIDEnabled" : true,
"threatLicenseUsed" : true
},
"urlFiltering" : {
"acRulesWithURLFiltering" : 10,
"urlFilteringLicenseUsed" : true
}
}, {
"deviceInfo" : {
"deviceManager" : "FMC",
"deviceModel" : "Cisco Firepower Threat Defense for VMWare",
"deviceName" : "10.10.17.221",
"deviceVersion" : "6.4.0-1335",
"serialNumber" : "9A0NMB3VAL7"
},
"malware" : {
"malwareLicenseUsed" : false,
"numberOfACRulesNeedMalwareLicense" : 0,
"numberOfACRulesWithMalware" : 0
},
"sslUsage" : {
"isSSLEnabled" : false
},
"threat" : {
"acPolicyHasIntrusion" : false,
"acRulesWithIntrusion" : 0,
"isTIDEnabled" : false,
"threatLicenseUsed" : false
},
"urlFiltering" : {
"acRulesWithURLFiltering" : 0,
"urlFilteringLicenseUsed" : false
}
}, {
"deviceInfo" : {
"deviceManager" : "FMC",
"deviceModel" : "Cisco Firepower Threat Defense for VMWare",
"deviceName" : "10.10.17.222",
"deviceVersion" : "6.4.0-1335",
"serialNumber" : "9ATSKTCFNXA"
},
"malware" : {
"malwareLicenseUsed" : true,
"numberOfACRulesNeedMalwareLicense" : 0,
"numberOfACRulesWithMalware" : 0
},
"sslUsage" : {
"isSSLEnabled" : false
},
"threat" : {
"acPolicyHasIntrusion" : false,
"acRulesWithIntrusion" : 0,
"isTIDEnabled" : false,
"threatLicenseUsed" : true
},
"urlFiltering" : {
"acRulesWithURLFiltering" : 0,
"urlFilteringLicenseUsed" : true
}
}, {
"deviceInfo" : {
"deviceManager" : "FMC",
"deviceModel" : "Cisco Firepower Threat Defense for VMWare",
"deviceName" : "10.10.17.223",
"deviceVersion" : "6.4.0-1335",
"serialNumber" : "9AP4B2J9BC1"
},
"malware" : {
"malwareLicenseUsed" : true,
"numberOfACRulesNeedMalwareLicense" : 0,
"numberOfACRulesWithMalware" : 0
},
"sslUsage" : {
"isSSLEnabled" : false
},
"threat" : {
"acPolicyHasIntrusion" : false,
"acRulesWithIntrusion" : 0,
"isTIDEnabled" : false,
"threatLicenseUsed" : true
},
"urlFiltering" : {
"acRulesWithURLFiltering" : 0,
"urlFilteringLicenseUsed" : true
}
} ]
},
"deploymentData" : {
"deployJobInfoList" : [ {
"jobDeviceList" : [ {
"containerType" : "STANDALONE",
"deployEndTime" : "1550466953538",
"deployStartTime" : "1550466890057",
"deployStatus" : "SUCCEEDED",
"deviceModel" : "Cisco Firepower Threat Defense for VMWare",
"deviceOSVersion" : "6.4.0",
"deviceUuid" : "8918db92-30de-11e9-a576-92cc6a3b249d",
"pgTypes" : "[PG.FIREWALL.NGFWAccessControlPolicy]",
"policyBundleSize" : 3588153
}, {
"containerType" : "STANDALONE",
"deployEndTime" : "1550466953634",
"deployStartTime" : "1550466890057",
"deployStatus" : "SUCCEEDED",
"deviceModel" : "Cisco Firepower Threat Defense for VMWare",
"deviceOSVersion" : "6.4.0",
"deviceUuid" : "87cf54e6-30de-11e9-8fdb-ce9d0fc91a42",
"pgTypes" : "[PG.FIREWALL.NGFWAccessControlPolicy]",
"policyBundleSize" : 3588172
}, {
"containerID" : "5f009744-30fe-11e9-8a70-cd88086eeac0",
"containerType" : "HAPAIR",
"deployEndTime" : "1550467052791",
"deployStartTime" : "1550466890057",
"deployStatus" : "SUCCEEDED",
"deviceModel" : "Cisco Firepower Threat Defense for VMWare",
"deviceOSVersion" : "6.4.0",
"deviceUuid" : "c8df3b96-30ce-11e9-b5e5-d6beeb6498f5",
"pgTypes" : "[PG.FIREWALL.NGFWAccessControlPolicy]",
"policyBundleSize" : 3588212
} ],
"jobId" : "12884903350",
"numberOfDevices" : 3,
"numberOfFailedDevices" : 0,
"numberOfSuccessDevices" : 3
} ],
"lastJobId" : "12884903350"
},
"cspa" : {
"cspaCount" : 0,
"queryCount" : 0,
"queryGroupCount" : 0
},
"analysis" : {
"crossLaunchInfo" : {
"count" : 28,
"enabledCount" : 28,
"iocInfo" : [ {
"domain" : 10,
"ip" : 9,
"sha256" : 9,
"src_ip" : 5,
"dest_ip": 11,
"port" : 3,
"protocol" : 1,
"src_port" : 14,
"dest_port : 5,
"port" : 2
} ]
}
},
"SSLStats" : {
"action" : {
"block" : 0,
"block_with_reset" : 0,
"decrypt_resign_self_signed" : 0,
"decrypt_resign_self_signed_replace_key_only" : 0,
"decrypt_resign_signed_cert" : 0,
"decrypt_with_known_key" : 0,
"do_not_decrypt" : 0
},
"cache_status" : {
"cached_session" : 0,
"cert_validation_cache_hit" : 0,
"cert_validation_cache_miss" : 0,
"orig_cert_cache_hit" : 0,
"orig_cert_cache_miss" : 0,
"resigned_cert_cache_hit" : 0,
"resigned_cert_cache_miss" : 0,
"session_cache_hit" : 0,
"session_cache_miss" : 0
},
"cert_status" : {
"cert_expired" : 0,
"cert_invalid_issuer" : 0,
"cert_invalid_signature" : 0,
"cert_not_checked" : 0,
"cert_not_yet_valid" : 0,
"cert_revoked" : 0,
"cert_self_signed" : 0,
"cert_unknown" : 0,
"cert_valid" : 0
},
"failure_reason" : {
"decryption_error" : 0,
"handshake_error_before_verdict" : 0,
"handshake_error_during_verdict" : 0,
"ssl_compression" : 0,
"uncached_session" : 0,
"undecryptable_in_passive_mode" : 0,
"unknown_cipher_suite" : 0,
"unsupported_cipher_suite" : 0
},
"version" : {
"ssl_v20" : 0,
"ssl_v30" : 0,
"ssl_version_unknown" : 0,
"tls_v10" : 0,
"tls_v11" : 0,
"tls_v12" : 0,
"tls_v13" : 0
}
},
"snortRestart" : {
"appDetectorSnortRestartCnt" : 0,
"appSnortRestartCnt" : 0
}
}