Firepower Management Center Configuration Guide, Version 7.0

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: May 26, 2021

Chapter: Data Storage

Data Storage
Data Stored on the FMC
- Purging Data from the FMC Database
External Data Storage
History for Data Storage

Data Storage

Data Stored on the FMC


For	See
General information about data storage on the FMC	The Disk Usage Widget
Purging old data	Purging Data from the FMC Database
Allowing external access to the data on the FMC (this is an advanced feature)	External Database Access Settings
Backups	Manage Backups and Remote Storage and subtopics
Reports	Configuring Local Storage
Events	Connection Logging Database Event Limits and subtopics
Network discovery data	Network Discovery Data Storage Settings and subsequent topics
Files	Information about storing files in File Policies and Malware Protection, including best practices. File and Malware Inspection Performance and Storage Tuning
Packet data	Edit General Settings
Users and user activity	The Users Database The User Activity Database

Purging Data from the FMC Database

You can use the database purge page to purge discovery, identity, connection, and Security Intelligence data files from the FMC databases. Note that when you purge a database, the appropriate process is restarted.

Caution

Purging a database removes the data you specify from the Firepower Management Center. After the data is deleted, it cannot be recovered.

Before you begin

You must have Admin or Security Analyst privileges to purge data. You can be in the global domain only.

Procedure

Step 1

Choose System > Tools > Data Purge.

Step 2

Under Discovery and Identity, perform any or all of the following:

Check the Network Discovery Events check box to remove all network discovery events from the database.
Check the Hosts check box to remove all hosts and Host Indications of Compromise flags from the database.
Check the User Activity check box to remove all user activity events from the database.
Check the User Identities check box to remove all user login and user history data from the database, as well as User Indications of Compromise flags.

Step 3

Under Connections, perform any or all of the following:

Check the Connection Events check box to remove all connection data from the database.
Check the Connection Summary Events check box to remove all connection summary data from the database.
Check the Security Intelligence Events check box to remove all Security Intelligence data from the database.

Note

Checking the Connection Events check box does not remove Security Intelligence events. Connections with Security Intelligence data will still appear in the Security Intelligence event page (available under the Analysis > Connections menu). Correspondingly, checking the Security Intelligence Events check box does not remove connection events with associated Security Intelligence data.

Step 4

Click Purge Selected Events.

The items are purged and the appropriate processes are restarted.

External Data Storage

You can optionally use remote data storage for store certain types of data.


For	See
Backups	Manage Backups and Remote Storage and subtopics Remote Storage Management and subtopics
Reports	Remote Storage Management and subtopics Moving Reports to Remote Storage
Events	Information about syslog and other resources in Event Analysis Using External Tools Remote Data Storage in the Stealthwatch Cloud Remote Data Storage on a Secure Network Analytics Appliance If you store connection events remotely, consider disabling storage of connection events on your FMC. For information, see Database Event Limits and subtopics.

Important

If you will use syslog or store events externally, avoid special characters in object names such as policy and rule names. Object names should not contain special characters, such as commas, that the receiving application may use as separators.

Comparison of Cisco Security Analytics and Logging Remote Event Storage Options

Similar but different options for storing event data externally to your FMC:


On Premises	SaaS
You purchase, obtain the license for, and set up the storage system behind your firewall.	You purchase licenses and a data storage plan and send your data to the Cisco Security Cloud.
Supported event types: Connection Security-related connection Intrusion File and Malware LINA	Supported event types: Connection Security-related connection Intrusion File and Malware
Supports both syslog and direct integration.	Supports both syslog and direct integration.
View all events on the Secure Network Analytics Manager. Cross-launch from FMC event viewer to view events on the Secure Network Analytics Manager. View remotely stored connection and Security-related connection events in FMC	View events in CDO or Secure Network Analytics, depending on your license. Cross-launch from FMC event viewer.
For more information, see the links in Remote Data Storage on a Secure Network Analytics Appliance.	For more information, see the links in Remote Data Storage in the Stealthwatch Cloud.

Remote Data Storage in the Stealthwatch Cloud

Send select Firepower event data to the Secure Network Analytics Cloud using Cisco Security Analytics and Logging (SaaS). Supported events: Connection, Security Intelligence, intrusion, file, and malware.

For details, see the Firepower Management Center and Cisco Security Analytics and Logging (SaaS) Integration Guide at https://cisco.com/go/firepower-sal-saas-integration-docs.

You can send events either directly or via syslog.

Important

Remote Data Storage on a Secure Network Analytics Appliance

If you require more data storage than your Firepower appliance can provide, you can use Cisco Security Analytics and Logging (On Premises) to store Firepower data on a Secure Network Analytics appliance. For complete information, see the documentation available from https://cisco.com/go/sal-on-prem-docs.

You can view connection events in FMC even if they are stored on a Secure Network Analytics appliance. See Work in the FMC with Connection Events Stored on a Secure Network Analytics Appliance.

Important

History for Data Storage


Feature	Version	Details
Exempt low priority connection events from event rate limits	7.0	If you choose not to store connection events on the FMC because you are storing them on a remote volume, those events do not count towards the flow rate limits for your FMC hardware device. If you send events to Cisco Security Analytics and Logging (On Premises) using the new 7.0 configurations, you configure this setting as part of that integration. Otherwise, see information about the Connection Database in Database Event Limits. New/Modified pages: None. Behavior change only.
Improved process for sending events to a Secure Network Analytics appliance	7.0	A new wizard streamlines sending events directly to a Secure Network Analytics appliance using Cisco Security Analytics and Logging (On Premises). The wizard also allows you to see remotely stored connection events while viewing event pages on your FMC, and to cross-launch from FMC to view events on your Secure Network Analytics appliance. If you have already configured your system to send events using syslog, events will continue to be sent using syslog unless you disable those configurations. For details, see the documentation referenced in Remote Data Storage on a Secure Network Analytics Appliance. New/Modified pages: The System > Logging > Security Analytics & Logging page now displays the wizard instead of the configuration for creating cross-launch options.
Remote data storage on a Secure Network Analytics appliance	6.7	You can now store large volumes of Firepower event data remotely, using Cisco Security Analytics and Logging (On Premises). When viewing events in FMC, you can quickly cross-launch to view events in your remote data storage location. Supported events: Connection, Security Intelligence, intrusion, file, and malware. Events are sent using syslog. This solution depends on availability of Stealthwatch Management Console (SMC) Virtual Edition running Stealthwatch Enterprise (SWE) version 7.3. See Remote Data Storage on a Secure Network Analytics Appliance.
Remote data storage in the Secure Network Analytics Cloud	6.4	Use syslog to send select Firepower data using Cisco Security Analytics and Logging (SaaS). Supported events: Connection, Security Intelligence, intrusion, file, and malware. For details, see the Firepower Management Center and Cisco Security Analytics and Logging (SaaS) Integration Guide at https://cisco.com/go/firepower-sal-saas-integration-docs.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)