Health Modules

Health modules, or health tests, test for the criteria you specify in a health policy.

Module

Module Type

Description

CPU Usage (per core)

Telegraph

This module checks that the CPU usage on all the cores is not overloaded and alerts when CPU usage exceeds the thresholds configured for the module. The Warning Threshold % default value is 80. The Critical Threshold % default value is 90.

Disk Status

Legacy

This module examines the performance of the hard disk and malware storage pack (if installed) on the appliance.

This module generates a Warning (yellow) health alert when the hard disk and RAID controller (if installed) are in danger of failing, or if an additional hard drive is installed that is not a malware storage pack. This module generates an Alert (red) health alert when an installed malware storage pack cannot be detected.

Disk Usage

Telegraph

This module compares disk usage on the appliance’s hard drive and malware storage pack to the limits configured for the module and alerts when usage exceeds the thresholds configured for the module. This module also alerts when the system excessively deletes files in monitored disk usage categories, or when disk usage excluding those categories reaches excessive levels, based on module thresholds.

The Disk Usage module sends a health alert if the size of device configuration history files exceeds the allowed limit. See Disk Usage for Device Configuration History Files Health Monitoring Alert for information about troubleshooting scenarios for the disk usage alerts. This health alert is not supported on Secure Firewall Management Center Versions 7.2.0-7.2.5, 7.3.x, and 7.4.0.

Use the Disk Usage health status module to monitor disk usage for the / and /volume partitions on the appliance and track draining frequency. Although the disk usage module lists the /boot partition as a monitored partition, the size of the partition is static so the module does not alert on the boot partition.

File System Integrity Check

Legacy

This module performs a file system integrity check and runs if the system has CC mode or UCAPL mode enabled, or if the system runs an image signed with a DEV key. This module is enabled by default.

Health Monitor Process

Legacy

This module monitors the status of the health monitor itself and alerts if the number of minutes since the last health event received by the management center exceeds the Warning or Critical limits.

Interface Statistics

Legacy

This module determines if the device currently collects traffic and alerts based on the traffic status of physical interfaces and aggregate interfaces. For physical interfaces, the information includes interface name, link state, and bandwidth. For aggregate interfaces, the information includes interface name, number of active links, and total aggregate bandwidth.

Note

This module also monitors the high availability standby device traffic flow. Though it is known that the standby device would not be receiving any traffic yet, the management center alerts that the interface is not receiving any traffic. The same alerting principle is applied when traffic is not received by some of the subinterfaces on a port channel.

If you use the show interface CLI command to know the interface statistics of your device, the input and output rates in the CLI command result can be different from the traffic rates that appear in the interface module.

This module displays the traffic rates according to the values from Lina. The sampling intervals of Lina and the management center interface statistics are different. Due to the difference in sampling interval, throughput values in the management center GUI can be different from the throughput values appears in the threat defense CLI result.

Local Malware Analysis

Legacy

This module monitors ClamAV updates for Local Malware Analysis.

Memory Usage

Legacy

This module compares memory usage on the appliance to the limits configured for the module and alerts when usage exceeds the levels configured for the module.

When calculating the memory usage, the management center Memory Usage health module monitors and includes the usage of RAM, swap memory, and cache memory.

For appliances with more than 4 GB of memory, the preset alert thresholds are based on a formula that accounts for proportions of available memory likely to cause system problems. On >4 GB appliances, because the interval between Warning and Critical thresholds may be very narrow, its recommended that you manually set the Warning Threshold % value to 50. This will further ensure that you receive memory alerts for your appliance in time to address the issue.

Beginning with Version 6.6.0, the minimum required RAM for management center virtual upgrades to Version 6.6.0+ is 28 GB, and the recommended RAM for management center virtual deployments is 32 GB. We recommend you do not decrease the default settings: 32 GB RAM for most management center virtual instances, 64 GB for the management center virtual 300 (VMware only).

Attention

A critical alert is generated by the health monitor when insufficient RAM is allocated to a management center virtual deployment.
If the management center reaches a critical system memory condition, the system might terminate the processes that use high memory or reboot the management center if memory usage remains high.

Complex access control policies and rules can command significant resources and negatively affect performance.

Process Status

Legacy

This module determines if processes on the appliance exit or terminate outside of the process manager.

If a process is deliberately exited outside of the process manager, the module status changes to Warning and the health event message indicates which process exited, until the module runs again and the process has restarted. If a process terminates abnormally or crashes outside of the process manager, the module status changes to Critical and the health event message indicates the terminated process, until the module runs again and the process has restarted.

Threat Data Updates on Devices

Legacy

Certain intelligence data and configurations that devices use to detect threats are updated on the management center from the cloud every 30 minutes.

This module alerts you if this information has not been updated on the devices within the time period you have specified.

Monitored updates include:

Local URL category and reputation data
Security Intelligence URL lists and feeds, including global Block and Do Not Block lists and URLs from Threat Intelligence Director
Security Intelligence network lists and feeds (IP addresses), including global Block and Do Not Block lists and IP addresses from Threat Intelligence Director
Security Intelligence DNS lists and feeds, including global Block and Do Not Block lists and domains from Threat Intelligence Director
Local malware analysis signatures (from ClamAV)
SHA lists from Threat Intelligence Director, as listed on the Objects > Object Management > Security Intelligence > Network Lists and Feeds page
Dynamic analysis settings configured on the Integration > AMP > Dynamic Analysis Connections page
Threat Configuration settings related to expiration of cached URLs, including the Cached URLs Expire setting on the Integration > Other Integrations > Cloud Services page. (Updates to the URL cache are not monitored by this module.)
Communication issues with the Cisco cloud for sending events. See the Cisco Cloud box on the Integration > Other Integrations> Cloud Services page.

Note	Threat Intelligence Director updates are included only if TID is configured on your system and you have feeds.

By default, this module sends a warning after 1 hour and a critical alert after 24 hours.

If this module indicates failure on the management center or on any devices, verify that the management center can reach the devices.

Management Center Health Modules

Module

Module Type

Description

AMP for Endpoints Status

Legacy

The module alerts if the management center cannot connect to the AMP cloud or Cisco AMP Private Cloud after an initial successful connection, or if the private cloud cannot contact the public AMP cloud. It also alerts if you deregister an AMP cloud connection using the Secure Endpoint management console.

AMP for Firepower Status

Legacy

This module alerts if:

The management center cannot contact the AMP cloud (public or private) or the Secure Malware Analytics Cloud or Appliance, or the AMP private cloud cannot contact the public AMP cloud.
The encryption keys used for the connection are invalid.
A device cannot contact the Secure Malware Analytics Cloud or Secure Malware Analytics Appliance to submit files for dynamic analysis.
An excessive number of files are detected in network traffic based on the file policy configuration.

If your management center loses connectivity to the Internet, the system may take up to 30 minutes to generate a health alert.

Appliance Heartbeat

Legacy

This module determines if an appliance heartbeat is being heard from the appliance and alerts based on the appliance heartbeat status.

Database Size

Legacy

This module checks the size of the configuration database and alerts when the size exceeds the values (in gigabytes) configured for the module.

Discovery Host Limit

Legacy

This module determines if the number of hosts the management center can monitor is approaching the limit and alerts based on the warning level configured for the module. For more information, see Host Limit.

Event Backlog Status

Legacy

This module alerts if the backlog of event data awaiting transmission from the device to the management center has grown continuously for more than 30 minutes.

To reduce the backlog, evaluate your bandwidth and consider logging fewer events.

Event Monitor

Telegraph

This module monitors overall incoming event rate to management center.

Event Stream Status

Legacy

This module monitors connections to third-party client applications that use the Event Streamer on the management center.

Hardware Statistics

Telegraph

This module monitors the status of the management center hardware entities, namely, fan speed, temperature, and power supply. This module alerts when the threshold value exceeds the configured Warning or Critical limits.

ISE Connection Monitor

Legacy

This module monitors the status of the server connections between the Cisco Identity Services Engine (ISE) and the management center. ISE provides additional user data, device type data, device location data, SGTs (Security Group Tags), and SXP (Security Exchange Protocol) services.

License Monitor

Legacy

This module monitors license expiration.

Management Center HA Status

Legacy

This module monitors and alerts on the high availability status of the management center. If you have not established management center high availability, the HA Status is Not in HA.

Note	This module replaces the high availability status module, which previously provided high availability status for the management center. In Version 7.0, we added high availability status for managed devices.

MySQL Statistics

Telegraph

This module monitors the status of the MySQL database, including the database size, number of active connections, and memory use. Disabled by default.

RabbitMQ Status

Telegraph

This module collects various statistics for RabbitMQ.

RRD Server Process

Legacy

This module determines if the round robin data server that stores time series data is running properly. The module alerts if the RRD server has restarted since the last time it updated; it enters Critical or Warning status if the number of consecutive updates with an RRD server restart reaches the numbers specified in the module configuration.

Realm

Legacy

Enables you to set a warning threshold for realm or user mismatches, which are:

User mismatch: A user is reported to the management center without being downloaded.

A typical reason for a user mismatch is that the user belongs to a group you have excluded from being downloaded to the management center. Review the information discussed in Realm Fields.
Realm mismatch: A user logs into a domain that corresponds to a realm not known to the management center.

For more information, see .

This module also displays health alerts when you try to download more users than the maximum number of downloaded users supported per realm. The maximum number of downloaded users for a single realm depends on your management center model.

For more information, see User Limit in the Cisco Secure Firewall Management Center Device Configuration Guide

Security Intelligence

Legacy

This module alerts if Security Intelligence is in use and the management center cannot update a feed, or feed data is corrupt or contains no recognizable IP addresses.

See also the Threat Data Updates on Devices module.

Smart License Monitor

Legacy

This module monitors Smart Licensing status and alerts if:

There is a communication error between the Smart Licensing Agent (Smart Agent) and the Smart Software Manager.
The Product Instance Registration Token has expired.
The Smart License usage is out of compliance.
The Smart License authorization or evaluation mode has expired.

Sybase Statistics

Telegraph

This module monitors the status of the Sybase database on the management center, including the database size, number of active connections, and memory use.

Time Series Data (RRD) Monitor

Legacy

This module tracks the presence of corrupt files in the directory where time series data (such as correlation event counts) are stored and alerts when files are flagged as corrupt and removed.

Time Server Status

Legacy

This module monitors the configuration of the NTP servers and alerts when the NTP server is unavailable or if the NTP server configuration is invalid.

If you receive critical alert from this module, choose System ( system gear icon ) > Configuration > Time Synchronization and check the configuration of the NTP server specified in the alert.

Time Synchronization Status

Legacy

This module tracks the synchronization of a device clock that obtains time using NTP with the clock on the NTP server and alerts if the difference in the clocks is more than ten seconds.

Unresolved Groups Monitor

Legacy

Monitors unresolved groups used in policies.

URL Filtering Monitor

Legacy

This module alerts if the management center fails to:

Register with the Cisco cloud.
Download URL threat data updates from the Cisco cloud.
Complete URL lookups.

You can configure time thresholds for these alerts.

See also the Threat Data Updates on Devices module.

Device Health Modules
Module	Module Type	Description
AMP Connection Status	Telegraph	The module alerts if the threat defense cannot connect to the AMP cloud or Cisco AMP Private Cloud after an initial successful connection, or if the private cloud cannot contact the public AMP cloud. Disabled by default.
AMP Threat Grid Connectivity	Telegraph	The module alerts if the threat defense cannot connect to the AMP Threat Grid cloud after an initial successful connection.
ASP Drop	Telegraph	This module monitors the connections dropped by the data plane accelerated security path.
Automatic Application Bypass	Legacy	This module monitors bypassed detection applications.
Chassis Environment Status	Legacy	This module monitors chassis parameters such as fan speed and chassis temperature, and enables you to set a warning threshold and critical threshold for temperature. The Critical Chassis Temperature (Celsius) default value is `85`. The Warning Chassis Temperature (Celsius) default value is `75`.
Cluster/HA Failover Status	Legacy	This module monitors the status of device clusters. The module alerts if: A new primary unit is elected to a cluster. A new secondary unit joins a cluster. A primary or secondary unit leaves a cluster.
Configuration Resource Utilization	Legacy	This module alerts if the size of your deployed configurations puts a device at risk of running out of memory. The alert shows you how much memory your configurations require, and by how much this exceeds the available memory. If this happens, re-evaluate your configurations. Most often you can reduce the number or complexity of access control rules or intrusion policies. Snort Memory Allocation Total Snort Memory indicates the memory allotted for the Snort 2 instances running on the threat defense device. Available Memory indicates the memory allotted by the system for a Snort 2 instance. Note that this value is not just the difference between the Total Snort Memory and the combined memory reserved for other modules. This value is derived after few other computations and then divided by the number of Snort 2 processes. A negative Available Memory value indicates that Snort 2 instance does not have enough memory for the deployed configuration. For support, contact Cisco Technical Assistance Center (TAC).
Connection Statistics	Telegraph	This module monitors the connection statistics and NAT translation counts.
Data Plane CPU Usage	Telegraph	This module checks that the average CPU usage of all data plane processes on the device is not overloaded and alerts when CPU usage exceeds the percentages configured for the module. The Warning Threshold % default value is `80`. The Critical Threshold % default value is `90`.
Snort CPU Usage	Telegraph	This module checks that the average CPU usage of the Snort processes on the device is not overloaded and alerts when CPU usage exceeds the percentages configured for the module. The Warning Threshold % default value is `80`. The Critical Threshold % default value is `90`.
System CPU Usage	Telegraph	This module checks that the average CPU usage of all system processes on the device is not overloaded and alerts when CPU usage exceeds the percentages configured for the module. The Warning Threshold % default value is `80`. The Critical Threshold % default value is `90`.
Critical Process Statistics	Telegraph	This module monitors the state of critical processes, their resource consumption, and the restart counts.
Deployed Configuration Statistics	Telegraph	This module monitors statistics about the deployed configuration, such as the number of ACEs and IPS rules.
Firewall Threat Defense Platform Faults	Legacy	This module generates an alert for platform faults for Firepower 1000 and Secure Firewall 3100, 4200 devices. A fault is a mutable object that is managed by the management center. Each fault represents a failure in the threat defense instance or an alarm threshold that has been raised. During the lifecycle of a fault, it can change from one state or severity to another. Each fault includes information about the operational state of the affected object at the time the fault was raised. If the fault is transitional and the failure is resolved, then the object transitions to a functional state. For more information, see the Cisco Firepower 1000/2100 FXOS Faults and Error Messages Guide.
Management Center Access Configuration Changes	Legacy	This module monitors access configuration changes made on the management center directly using the configure network management-data-interface command.
Flow Offload Statistics	Telegraph	This module monitors hardware flow offload statistics for a managed device.
Hardware Alarms	Legacy	This module determines if hardware needs to be replaced on a physical managed device and alerts based on the hardware status. The module also reports on the status of hardware-related daemons.
Inline Link Mismatch Alarms	Legacy	This module monitors the ports associated with inline sets and alerts if the two interfaces of an inline pair negotiate different speeds.
Intrusion and File Event Rate	Legacy	This module compares the number of intrusion events per second to the limits configured for this module and alerts if the limits are exceeded. If the Intrusion and File Event Rate is zero, the intrusion process may be down or the managed device may not be sending events. Select Analysis > Intrusions > Events to check if events are being received from the device. Typically, the event rate for a network segment averages 20 events per second. For a network segment with this average rate, Events per second (Critical) should be set to `50` and Events per second (Warning) should be set to `30`. To determine limits for your system, find the Events/Sec value on the Statistics page for your device (System () > Monitoring > Statistics), then calculate the limits using these formulas: Events per second (Critical) = Events/Sec * 2.5 Events per second (Warning) = Events/Sec * 1.5 The maximum number of events you can set for either limit is 999, and the Critical limit must be higher than the Warning limit.
Link State Propagation	Legacy	ISA 3000 only. This module determines when a link in a paired inline set fails and triggers the link state propagation mode. If a link state propagates to the pair, the status classification for that module changes to Critical and the state reads: `Module Link State Propagation: ethx_ethy is Triggered` where `x` and `y` are the paired interface numbers.
Memory Usage Data Plane	Telegraph	This module checks the percentage of allocated memory used by the Data Plane processes and alerts when memory usage exceeds the percentages configured for the module. The Warning Threshold % default value is `80`. The Critical Threshold % default value is `90`.
Memory Usage Snort	Telegraph	This module checks the percentage of allocated memory used by the Snort process and alerts when memory usage exceeds the percentages configured for the module. The Warning Threshold % default value is `80`. The Critical Threshold % default value is `90`.
Network Card Reset	Legacy	This module checks for network cards which have restarted due to hardware failure and alerts when a reset occurs.
NTP Statistics	Telegraph	This module monitors the NTP clock synchronization status of the managed device. Disabled by default.
Power Supply	Legacy	This module determines if power supplies on the appliance require replacement and alerts based on the power supply status.
Routing Statistics	Telegraph	This module monitors the current state of routing table.
Snort3 Statistics	Telegraph	This module collects and monitors the Snort 3 statistics for events, flows, and packets.
Snort Identity Memory Usage	Legacy	Enables you to set a warning threshold for Snort identity processing and alerts when memory usage exceeds the level configured for the module. The Critical Threshold % default value is `80`. This health module specifically keeps track of the total space used for the user identity information in Snort. It displays the current memory usage details, the total number of user-to-IP bindings, and user-group mapping details. Snort records these details in a file. If the memory usage file is not available, the Health Alert for this module displays Waiting for data. This could happen during a Snort restart due to a new install or a major update, switch from Snort 2 to Snort 3 or back, or major policy deployment. Depending on the health monitoring cycle, and when the file is available, the warning disappears, and the health monitor displays the details for this module with its status turned Green.
Snort Reconfiguring Detection	Telegraph	This module alerts if a device reconfiguration has failed. This module detects reconfiguration failure for both Snort 2 and Snort 3 instances.
Snort Statistics	Telegraph	This module monitors the Snort statistics for events, flows, and packets.
Security Services Exchange Connection Status	Telegraph	The module alerts if the threat defense cannot connect to the security services exchange cloud after an initial successful connection. Disabled by default.
Threat Defense HA (Split-brain check)	Legacy	This module monitors and alerts on the high availability status of the threat defense and provides a health alert for a split brain scenario. If you have not established threat defense high availability, the HA Status is `Not in HA`.
VPN Statistics	Telegraph	This module monitors site-to-site and remote access VPN tunnels between threat defense devices.
XTLS Counters	Telegraph	This module monitors XTLS/SSL flows, memory and cache effectiveness. Disabled by default.