Skip to main content

 

 

Cisco Defense Orchestrator

Managing Reports

Cisco Defense Orchestrator (CDO) provides several reports that you can use to analyze the impact of your security policies on the traffic going through your Firepower Threat Defense (FTD) device. Reports cannot be generated for the traffic running through ASA devices. 

Users can create report groups which bundle together a time period, one or more report types, and one or more devices. You can create many report groups in CDO and compare the results between them over different time periods. 

Important: The data used in traffic-related reports is collected from access control rules that enable connection or file logging, and other security policies that allow logging. The reports do not reflect traffic that matches rules for which no logging is enabled. Ensure that you configure your rules to log the information that matters to you. 

CDO polls devices every hour to collect logging information that can be used in the report groups. 

Add Report Groups to the Reports Dashboard

  1. In the navigation pane, click Monitoring > Network Reports.
  2. Click Add Report Group and the device for which you are adding the report group.
  3. Select the time range for the reports: Last 24 Hours, Last 7 Days, or Last 30 Days. If you want, click Customize and move the blue circles on the time line to adjust the time period for the report. 
  4. Click Add Device to select the device(s) to be added to the report group.
  5. Click Add Report to select the report type(s) you want to add to the report group.
  • Top Applications: This report shows the top applications, such as HTTP, that are being used in the network. The information is available only for connections that are inspected. Connections are inspected if they match an “allow” rule, or a "block" rule that uses criteria other than zone, address, and port. Thus, application information is not available if the connection is trusted or blocked prior to hitting any rule that requires inspection. You can further specify, that this report display information from all connections, allowed connections, denied connections, or by data usage. Only a Firepower Basic license is required.
  • Top Attackers: This report shows the top source of connections that trigger intrusion events. You must configure intrusion policies on access rules to see this information. Intrusion policies require a Firepower Threat license. 
  • Top Destinations:  Shows the top destinations for network traffic. The initial access rule can provide some insight into traffic, including policies, destinations, and security zones. You can further specify, that this report display information from all connections, allowed connections, denied connections, or by data usage. Only a Firepower Basic license is required.
  • Top Targets: Shows the top targets of intrusion events, which are the victims of an attack. You must configure intrusion policies on access rules to see this information. Intrusion policies require a Firepower Threat license. 
  • Top Threats: Shows the top intrusion rules that have been triggered. You must configure intrusion policies on access rules to see this information. Intrusion policies require a Firepower Threat license. 
  1. Within each report, you can select how the information is displayed by clicking the blue bar-graph report_bargraph_button.png button.
  2. To remove a report from the report group, click the "X" icon in the upper-right corner of the report.