Filter
Top Products
41-5
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 41 Configuring Global Correlation
Configuring Global Correlation Inspection and Reputation
• Firewall access for port 80, 443 traffic—Because global correlation updates occur through the
sensor management interface, any firewall that lies between the sensor and the internet must allow
traffic on ports 80 and 443. You can also use an HTTP proxy (see Identifying an HTTP Proxy Server,
page 35-23).
• Exposure to external traffic—The global correlation database contains external IP addresses only,
so if you position a sensor in an internal lab that has no interaction with outside networks, you might
never receive global correlation information. The feature will have no effect.
• Bypass mode might be triggered during global correlation updates— As with signature updates,
when the sensor applies a global correlation update, it might trigger bypass. Whether bypass is
triggered depends on the traffic load of the sensor and the size of the signature or global correlation
update. If bypass mode is turned off, an inline sensor stops passing traffic while the update is being
applied.
• No IPv6 address support—Global correlation inspection and the reputation filtering deny features
do not support IPv6 addresses. For global correlation inspection, the sensor does not receive or
process reputation data for IPv6 addresses. The risk rating for IPv6 addresses is not modified for
global correlation inspection. Similarly, network participation does not include event data for
attacks from IPv6 addresses. And finally, IPv6 addresses do not appear in the deny list.
Related Topics
• Understanding Global Correlation, page 41-1
• Understanding Reputation, page 41-2
• Understanding Network Participation, page 41-3
• Configuring Global Correlation Inspection and Reputation, page 41-5
• Configuring Network Participation, page 41-7
Configuring Global Correlation Inspection and Reputation
Use the Inspection/Reputation policy to configure the sensor to use updates from the SensorBase
Network to adjust the risk rating of events. The global correlation client on the sensor determines which
updates are available and applicable to the sensor by communicating with the global correlation update
server and a file server. The global correlation update server provides the server manifest document to
the sensor, which identifies which updates are available and how to obtain them from a file server. The
sensor downloads the update files from the file server using the information in the server manifest.
When you configure global correlation, updates are automatic and happen at regular intervals,
approximately every five minutes by default, but this interval can be modified by the global correlation
server. The sensor initially gets a full update and then applies an incremental update periodically.
If you turn on global correlation, you can choose how aggressively you want the deny actions to be
enforced against malicious hosts. You can then enable reputation filtering to deny access to known
malicious hosts. If you only want a report of what could have happened, you can enable Test Global
Correlation. This puts the sensor in Audit mode, and actions the sensor would have performed are
generated in the events.