07-18-2018 11:36 AM - edited 02-21-2020 08:00 AM
Hello,
I was just looking into setting up the TID feature on Firepower management center. I have most of it configured, but my SFR modules are not showing up as "Elements" under the Intelligence tab. I have Access policies running on all of my modules, what else specifically needs to be set up to be able to tie the modules to the TID?
FMC 6.2.3 (build 79)
SFR 6.2
07-18-2018 08:06 PM - edited 07-18-2018 08:07 PM
Have you checked the following? I have done this in my lab and the managed devices (FTDv in my case) show up fine. (Note the embedded links won't work as they are taken from my FMC server's help page.)
Smart License |
Classic License |
Supported Devices |
Supported Domains |
Access |
---|---|---|---|---|
Any |
Any |
Any |
Global |
Admin/Threat Intelligence Director (TID) User |
You must configure access control policies to publish TID data from the Firepower Management Center to your managed devices (elements). In addition, we recommend that you configure your access control policies to maximize observation and Firepower Management Center event generation.
For each managed device that you want to support TID, perform the steps below to configure the associated access control policy.
Elements that are configured to use TID after data has been published will automatically receive all currently-published observables.
Step 1 | Verify that the Enable Threat Intelligence Director check box is checked in the Advanced Settings tab of the access control policy. This option is enabled by default.
For more information, see Access Control Policy Advanced Settings. |
Step 2 | Add rules to the access control policy if they are not already present. TID requires that the access control policy specify at least one rule.
For more information, see Creating a Basic Access Control Policy. |
Step 3 | If you want SHA-256 observables to generate observations and Firepower Management Center events:
|
Step 4 | If you want IPv4, IPv6, URL, or Domain Name observations to generate connection and security intelligence events, enable connection and security intelligence logging in the access control policy:
|
Step 5 | Deploy configuration changes; see Deploying Configuration Changes. |
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide