Skip to main content



Cisco Defense Orchestrator

FTD Executive Summary Report

The Executive Summary Report offers a collection of operational statistics for all Firepower Threat Defense (FTD) devices. Once a device is onboarded, CDO collects this information from Firepower Device Manager (FDM) every hour. 

Data in the reports is generated when network traffic triggers an access rule or policy on an FTD device. We strongly recommend enabling malware, threat, and IPS licenses, as well as enabling file logging for access rules, to allow a device to generate the events that are reflected in the reports.

Note that all of the information displayed in the report is dependent on the Time Range toggle located at the top of the page. Policies may experience varying traffic or triggers during the time range you select.

If you experience issues with the Executive Summary Report, or see an unexpected amount of traffic, see Troubleshoot FTD Executive Summary Report for more information. 

Generate Network Operation Data

Once a device is onboarded to CDO, event data is automatically collected. The data that is collected is dependent on the device configuration. The base license that is delivered with all FTD devices does not support all the options within the network operations report. We recommend the following configurations for devices you want to collect data from:

  • Logging - enable file logging on applicable access control rules. See Logging Settings in an FTD Access Control Rule for more information.
  • Malware Events - enable the malware smart license.
  • Security Intelligence - enable the threat smart license.
  • IPS Threats - enable the threat smart license. 
  • Web Categories - enable the URL smart license.
  • Files Detected - enable the threat smart license.

See FTD Licensing Types for more information on smart licenses and the capabilities these licenses provide. 

Note: The executive summary does not inherently include traffic experienced over VPN. 


The overview tab displays visuals from triggered rules, threats, and file types. These items are displayed numerically, with the largest or most frequently hit rules, events, or files listed first. 

Malware events represent detected or blocked malware files only. Note that the disposition of a file can change, for example, from clean to malware or from malware to clean. We recommend that you Schedule a Security Database Update to keep your devices up to date with the latest intrusion rules (SRUs). 

Top Ten Access Rule Hits offers three different tabs you can toggle between to view the top ten rule transfers, connections, or rules that blocked packets. 

Network Assessment

The Network Assessment tab addresses web site categories and detected file types. This display captures only the top ten most frequently encountered categories and file types. Other than by the selected time range, you cannot use this tab to determine when a specific web category or file type was detected. 


The Threats tab displays statistics generated by intrusion events: Top Attacker captures the originating IP address of an event, Top Target captures the destination IP address of an event, and Top Threats captures the type of events that have been categorized as a threat. 

This tab also details the threats and malware types that were detected. 

Generate a Report

Once you have configured the report to your preference, feel free to generate a PDF of the report. See Manging Reports for more information. 


Related Articles:

  • Was this article helpful?