Cisco Firepower Traffic Profile is a graph of network traffic measured over a profiling time windows (PTW) represents normal traffic. any traffic violating normal traffic is suspicious to be abnormal traffic.
Firepower Traffic Profile changes and correlation policy configuration
Cisco Firepower Traffic Profiles configuration
In Polices -> Correlation -> Traffic Profile, we can configure traffic profile with different conditions over various profiling time windows from one hour to some weeks.
There are many options for conditions including a specific IP subnet, a specific application, a specific WEB application category, a specific country and many other options.
Profiling time window is the time in which normal traffic statistics is measured and learned and by default it is one week and it can be from one hour up to multi weeks.
Sampling rate is the frequency in which traffic statistics is generated and by default is 5 minutes and it can be as long as one hour.
Inactive times are the times when your traffic profiles are exception, for example when you create a backup of your database and a high rate of traffic is generated in the network.
As examples, I have created three traffic profile.
One for subnet 192.168.1.0/24 with one hour time window.
One for subnet 192.168.1.0/24 with one day time window.
One for WEB traffic including HTTP and HTTPS with one day time window.
By clicking the graph image beside any traffic profile, traffic profile graph will be shown.
As you can see, the mean (the average) of the traffic rate is displayed in the profiling time window and how the traffic rate violates the average over time by standard deviations.
Configuration of correlation policy for Traffic Profile Changes
Now we can configure a correlation policy that take a real-time action to traffic profile changes that violate more than a specific times of standard deviation.
In the last section, we discussed the details of how to implement the correlation policy and how to create different actions. In this policy, we will use the IP null route block action that we created in the previous section.
In Polices -> Correlation -> Rule Management -> Create Rule, we create a new correlation rule for traffic profile changes for the traffic profile that we have created for subnet 192.168.1.0/24 and rime window of 1 hour as an example.
If Total Bytes are greater than or equal to 3 standard deviation, then the source IP will be blocked with adding IP null route in the router in the path. This actin is configure in the previous section.
result of correlation policy for traffic profile changes violating 3 standard deviation
To test the result, I have tried to download a big file from the internet to generate a traffic rate violating more than 3 standard deviations.
The graph of traffic profile changes can be checked in the traffic profile graph. It is expected that the IP address violating more than 3 standard deviation will be blocked by correlation policy action module.
