CSA - Processes Communicating with Untrusted Hosts
Can someone explain this builtin application class, "Processes Communicating with Untrusted Hosts"?
I've read what is in the help file and notes, and I've looked for this in the documentation. But it seems a little vague. Here are a few snippets:
Correlate communications with untrusted hosts and add peer addresses to list of dynamically quarantined IP addresses.
With this checkbox enabled, when processes are added to the dynamic <Processes communicating with Untrusted Hosts> application class (see Built-in Configurable Application Classes, page 6-7) and this event is logged across multiple agent systems, these events are correlated and the untrusted peer address that triggered the event is added to a dynamic list of quarantined IP addresses that CSA MC maintains. If you have a rule configured to stop dynamically quarantined IP addresses in a deployed policy, no further agents can communicate with this peer address. See page 4-69 for information on using @dynamic in Network access control rules.
Step 1 In the Network shield rule configuration view, enter the following information:
?Description?Enter a description of this rule. This description appears in the list view for the module. Optionally, expand the +Detailed field to enter a longer description.
?Enabled?Use this checkbox to enable this rule within the module. (It is enabled by default.) By not selecting this checkbox, you can save this rule, but it will not be active in the module and it will not be distributed to groups.
Step 2 Take the following action?(Note that only High Priority Deny, Allow, Deny, Monitor, and Add process action types are available for this rule. You can choose to add the system process to the Processes communicating with Untrusted Hosts application class which causes the remote host IP address to be sent to the MC for global correlation. This may result in the address being added to the @dynamic address list for quarantining. See page 6-7 for information on the Processes communicating with Untrusted Hosts application class. Also see Correlation for details on quarantining IP addresses.) Select an action type from the pulldown list.
Processes Communicating with Untrusted Hosts?This is intended to capture the IP addresses of hosts that are viewed as violating security policies or exhibiting malicious behavior. Being classified as belonging to this application category causes a host to be quarantined from the network.
So far I've gathered that this process is involved in correlation and the @dynamic variable. But I'm confused when it is used and what rules can use it. If a network shield rule populates this class, how can an application rule use it when application rules don't work with IP addresses? If this does allow application rules to work with IP addresses, is it possible for me to use this rule in conjunction with data control rules?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :