BRKSEC-2121 Help, My Firewall Has An Issue. How To Get A Health Alert - 2023

#CiscoLive
Help, My firewall has an issue.

How to get a health alert
Lucas Cammarata, Security Multi-Domain Architect

BRKSEC-2121
#CiscoLive
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
4 Enter messages/questions in the Webex space
Webex spaces will be moderated

by the speaker until June 9, 2023. https://ciscolive.ciscoevents.com/ciscolivebot/#BRKSEC-2121
#CiscoLive BRKSEC-2121 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
• Introduction
• Cisco Secure Firewall Health
Policy – FMC
• Health Evening
• Health Graphs
• Creating Alerts
Agenda • Cisco XDR Health Alert

Workflow – FMC
• Cisco XDR Health Alert
Workflow – Meraki MX
• Conclusion
BRKSEC-2121 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
• GSSO SLED East Area Security Multi-Domain Architect
• 20+ Years System Engineering - Cisco
• CMMC-RP, CISSP
• From Clifton Park NY near Albany
• Interests: Vintage Cars, Motorcycles, Karate, Soccer,
Espresso
Joined Cisco Oct. 2000 …and now
Introduction
How do I Know if my System Working Correctly
Hello, helpdesk?
I can’t get to the
Internet
Cisco Secure Firewall
Health Policy - FMC
Health Policy Overview on FMC v7.x
• Health Policy is a combination of modules and tests

• Tests are run Automatically at an interval you configure
• Status (Enabled/Disabled) is available for all modules, Criteria
and Limits are available for certain modules.
• Health Policy can be applied to the FMC, FTD Devices and
Legacy Firepower Devices
• Health Policies can be created for individual devices or groups
of devices
Architectural Overview
• Telegraf health agent is added to collect
specific metrics
• Prometheus collects the metrics from
Telegraf and stores in time series
fashion
• Alerts are generated when values
exceed the user-configured threshold in
the health policy
• Telegraf health agent is an Open-
Source plugin-driven agent for
collecting metrics. It collects data every
1 minute
• Prometheus, an open-source Time
Series Database on FMC, pulls the
metrics from device every 1 minute
Health Processes
Use pmtool to confirm health processes are running
Steps:
Login to FMC CLI
Switch to Expert mode
Use SUDO SU to change to superuser
/Volume/home/admin# pmtool status
Confirm processes
Prometheus
HealthAlertServer
hmdaemon
Health Modules
Refer to Firewall Management Center Documentation
There are over 65

Modules and 110
Health Metrics
Health Modules
Some Metrics Enabled by Default
FMC FTD
Metric Group Name Enabled by default Description Platform
Metric Group
Enabled by default Description
Name Monitors different Chassis parameters like Fan speed, Applicable to only FPR2100
Chassis Status Yes
and temperature. and FPR1000 platforms
CPU No Monitors FMC CPU
Applicable to FPR9300
Flow offload Yes Monitors hardware flow offload statistics
and FPR4100 platforms
Memory Yes Monitors FMC Memory
ASP drops Yes Monitors Lina side packet drops All
Disk Yes Monitors FMC Disk Usage
Hit counts No Monitors hit counts for Access Control Policy Rules All
Interface Yes Monitors FMC Interface Monitors connectivity to AMP

AMP Threat Grid Status Yes All
ThreatGrid
Process Yes Monitors FMC processes AMP Connectivity Status No Monitors AMP cloud connectivity from the FTD All
Event Yes Monitors Event Rate SSE connector status No Monitors SSE cloud connectivity from the FTD All
MySQL No Monitors MySQL Monitors NTP clock synchronization parameters on

NTP Status No All
the FTD
RabbitMQ No Monitors RabbitMQ
VPN statistics Yes Monitors S2S and RA VPN Tunnel statistics All
Sybase No Monitors Sybase Route statistics Yes Monitors Lina side packet drops All
Snort 3 perf stats Yes Monitors certain Snort3 performance statistics (perfstats) All
Monitors xTLS/SSL flows, memory and cache

xTLS counters No All
effectiveness
Health Policy
System>Health>Policy
• A health policy contains configured

health test criteria for several
modules
• You decide whether to enable each
health module for that policy
• Create one health policy that can be
applied to every appliance in your
system or customize each health
policy to the specific appliance
where you plan to apply it
Health Policy
Create Policy
1. Create
Policy
2. Choose Default Health Policy

3. Name and Describe your
Policy
4. Edit
Policy
Health Policy
Create Policy – Set Thresholds for each Health Module
Assign
Policy to
Device(s)
Turn all alerts on/off
Turn alerts on/off

Set Thresholds
Health Policy
Apply Policy
1. Apply to
your device(s)
2. Choose
device(s)
3. Apply
Health Eventing
Health Evening
System>Health>Events
Green ― No alarms
Orange ― At least one health warning
Red ― At least one critical health alarm.
Health Graphs
Health Monitor 7.x
System>Health>Monitor
Green ― No alarms
Orange ― At least one health warning
Red ― At least one critical health alarm.
Health Monitor 7.x
Drill into a Monitored Device - FMC
Hover over timeline
Health Monitor 7.x
Drill into a Monitored Device - FTD
Health Policy
Thresholds
Health Monitor 7.x
Drill into a Monitored Device – FMC Troubleshoot
Troubleshooting tools
Creating Alerts
Health Policy Alerts
Setup alerts to notify you through email, SNMP, or the system log
Health Policy Alerts
• The alerts generated by the health monitor contain the following information:
• Severity - which indicates the severity level of the alert.
• Module - which specifies the health module whose test results triggered the alert.
• Description - which includes the health test results that triggered the alert.
Severity Description
Critical The health test results met the criteria to
trigger a Critical alert status.
Warning The health test results met the criteria to
trigger a Warning alert status.
Normal The health test results met the criteria to
trigger a Normal alert status.
Error The health test did not run.
Recovered The health test results met the criteria to
return to a normal alert status, following a
Critical or Warning alert status.
Creating Alert Notifications
Policy>Alerts
Email Alert
Example
Setup email
System>
Configuration>
Email Notification
Create Email,
SNMP or Syslog
alert destinations
Health Policy Alerts – email example
System>Health>Monitor Alerts
1. Name your Alert

2. Choose the alert Severity
3. Choose which modules to
include in this alert
4. Choose the alert destination
(email)
5. Save
The Threshold Timeout field, enter the number of minutes that should elapse before each threshold
period ends and the threshold count resets.
Even if the policy run time interval value is less than the threshold timeout value, the interval between
two reported health events from a given module is always greater. For example, if you change the
threshold timeout to 8 minutes and the policy run time interval is 5 minutes, there is a 10-minute
interval (5 x 2) between reported events.
Health Policy Alerts – email example
Email contents
Health Policy Alerts – syslog example
System>Health>Monitor Alerts
1. Name your Alert

2. Choose the alert Severity
3. Choose which modules to
include in this alert
4. Choose the alert destination
(syslog)
5. Save
Syslog Events
Cisco XDR Health
Alert Workflow - FMC
Cisco XDR Dashboard
XDR Incident
Cisco XDR Ribbon
Cisco XDR Automation
Cisco XDR Orchestration
FMC Alert to Incident Workflow
Atomic Actions
Atomic Actions
Enter Workflow
Parameters in
this Pane
FMC Alert to Incident Workflow
Run the Workflow
Cisco XDR Automaiton
Add a Trigger to
FMC Alert to Incident Workflow run the workflow
on a Schedule
Cisco XDR – How Communicate with FMC
• FMC + Cisco XDR + SSE Proxy • FMC + Cisco XDR + Remote
• Requires version FMC 7.2+ Appliance
• Requires Device to be registered • Versatile to interact wit other on-
to SSE prem API’s
• Provides a native “built-in” • Requires the deployment of a VM
orchestration capabilities for FMC Appliance

• Easier to get starts with a • Works with any FMC version
seamless integration • Authenticates to FMC API as an

FMC user
*** Do not use ADMIN
Setup FMC Credentials
Credentials for the Best Practice:

Workflow to login to the Create specific
on-premise FMC Credentials to use for
Remote API access
Setup the SSE Proxy as a target to access FMC
FMC for the Workflow
Use the Cisco XDR Target to access FMC
Target is a member of
the Default Target Group
Get the Health Alerts using the FMC API
Get the available

Health Alerts
Cisco XDR Automation https://<fmc-ip>/api/api-explorer/
Firepower api-explorer
Path
Test it out
Alert Contents
Setup the Table of Health Alert Items
Setup a table of
Health Alerts
Firepower api-explorer
Response Strings
Set Access to
Cisco XDR
Ribbon
If the Health Alert is Red or Yellow Continue to Create and Incident
Orchestration Logic
While loop and
Conditional Block
Read the Table and

search for Critical or
Warning Status
(Red or Yellow)
Check to see if the Health Incident already exists
Check to see if the

Health Incident
already exists
Update a Previous Existing Incident
Exists, then Update

the Incident with the
date and time of the
repeated Alert
Which Device has a Health Alert
Incident is New
Extract the Device

Name from the UUID
Insert the Device

Name into a Variable
UUID=0 is an FMC
UUID is Hostname
Create a New Health Incident
Information Format to
be posted
Create the Cisco

XDR Incident
Cisco XDR Health
Alert Workflow –
Meraki MX
Meraki MX– email example
Email contents
XDR Incident
Cisco XDR Ribbon
Meraki API Doc https://developer.cisco.com/meraki/api-latest/#!get-network-health-alerts
Path
Test it out
Alert
Contents
Meraki Alert to Incident Workflow
Enter Workflow
Local Variables
Get Todays
Workflows
Cisco XDR Automation – Import todays workflow
Automate>Options>Git Repositories
Add a Git
Repository
Import the Workflow

FirepowerHealthEventsSecureXIncidents
Meraki-MX-Health-Events-to-Incidents
api.github.com/repos/lcammara/SLED-East-TSA-Cisco-SecureX
Conclusion
What Did We Cover Today
• Cisco Secure Firewall Health Policy – FMC
• Health Evening
• Health Graphs
• Creating Alerts
• Cisco XDR Health Alert Workflow – FMC
• Cisco XDR Health Alert Workflow – Meraki MX
Fill out your session surveys!
Attendees who fill out a minimum of four session

surveys and the overall event survey will get
Cisco Live-branded socks (while supplies last)!
Attendees will also earn 100 points in the

Cisco Live Challenge for every survey completed.
These points help you get on the leaderboard and increase your chances of winning daily and grand prizes
• Visit the Cisco Showcase
for related demos
• Book your one-on-one

Meet the Engineer meeting
• Attend the interactive education

with DevNet, Capture the Flag,
Continue and Walk-in Labs
your education • Visit the On-Demand Library

for more sessions at
www.CiscoLive.com/on-demand
BRKSEC-2121 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Thank you
#CiscoLive
Gamify your Cisco Live experience!
Get points for attending this session!
How:
1 Open the Cisco Events App.
2 Click on 'Cisco Live Challenge’ in the side menu.
3 Click on View Your Badges at the top.
4 Click the + at the bottom of the screen and scan the QR code:
#CiscoLive

BRKSEC-2121 Help, My Firewall Has An Issue. How To Get A Health Alert - 2023

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKSEC-2121 Help, My Firewall Has An Issue. How To Get A Health Alert - 2023

Uploaded by

Copyright:

Available Formats

#CiscoLive

Help, My firewall has an issue.

Lucas Cammarata, Security Multi-Domain Architect

2 Click “Join the Discussion”

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

Agenda • Cisco XDR Health Alert

Joined Cisco Oct. 2000 …and now

• Health Policy is a combination of modules and tests

/Volume/home/admin# pmtool status

There are over 65

Interface Yes Monitors FMC Interface Monitors connectivity to AMP

MySQL No Monitors MySQL Monitors NTP clock synchronization parameters on

Monitors xTLS/SSL flows, memory and cache

• A health policy contains configured

2. Choose Default Health Policy

Turn alerts on/off

Hover over timeline

1. Name your Alert

1. Name your Alert

Run the Workflow

orchestration capabilities for FMC Appliance

seamless integration • Authenticates to FMC API as an

*** Do not use ADMIN

Credentials for the Best Practice:

FMC for the Workflow

Get the available

Read the Table and

Check to see if the

Exists, then Update

Extract the Device

Insert the Device

Create the Cisco

Import the Workflow

Attendees who fill out a minimum of four session

Attendees will also earn 100 points in the

• Book your one-on-one

• Attend the interactive education

your education • Visit the On-Demand Library

2 Click on 'Cisco Live Challenge’ in the side menu.

3 Click on View Your Badges at the top.

You might also like