FDM-Managed Device Executive Summary Report

The Executive Summary Report offers a collection of operational statistics for all FDM-managed devices. Once a device is onboarded, Cisco Defense Orchestrator may take up to two hours to collect this information from Firewall device manager; after the initial report generation, data is compiled hourly. Note that report information is not part of the request for events, so events and reports are not available at the same cadence.

Data in the reports is generated when network traffic triggers an access rule or policy on an FDM-managed device. We strongly recommend enabling malware defense and IPS licenses, as well as enabling file logging for access rules, to allow a device to generate the events that are reflected in the reports.

Note that all of the information displayed in the report is dependent on the Time Range toggle located at the top of the page. Policies may experience varying traffic or triggers during the time range you select.

If you experience issues with the Executive Summary Report, or see an unexpected amount of traffic, see Troubleshoot the Executive Summary Report for more information.

Generate Network Operation Data

Once a device is onboarded to CDO, event data is automatically collected. The data that is collected is dependent on the device configuration. The license that is delivered with all FDM-managed devices does not support all the options within the network operations report. We recommend the following configurations for devices you want to collect data from:

  • Logging - enable file logging on applicable access control rules. See Logging Settings in an FDM Access Control Rule for more information.

  • Malware Events - enable the malware smart license.

  • Security Intelligence - enable the smart license.

  • IPS Threats - enable the smart license.

  • Web Categories - enable the URL smart license.

  • Files Detected - enable the smart license.

See FDM-Managed Device Licensing Types for more information on smart licenses and the capabilities these licenses provide.

Note

The executive summary does not inherently include traffic experienced over VPN.

Overview

The overview tab displays visuals from triggered rules, threats, and file types. These items are displayed numerically, with the largest or most frequently hit rules, events, or files listed first.

Malware events represent detected or blocked malware files only. Note that the disposition of a file can change, for example, from clean to malware or from malware to clean. We recommend that you Schedule a Security Database Update to keep your devices up to date with the latest intrusion rules (SRUs).

Top Ten Access Rule Hits offers three different tabs you can toggle between to view the top ten rule transfers, connections, or rules that blocked packets.

Network Assessment

The Network Assessment tab addresses web site categories and detected file types. This display captures only the top ten most frequently encountered categories and file types. Other than by the selected time range, you cannot use this tab to determine when a specific web category or file type was detected.

Threats

The Threats tab displays statistics generated by intrusion events: Top Attacker captures the originating IP address of an event, Top Target captures the destination IP address of an event, and Top Threats captures the type of events that have been categorized as a threat.

This tab also details the threats and malware types that were detected.

Generate a Report

Once you have configured the report to your preference, feel free to generate a PDF of the report. See Manging Reports for more information.