ManualsPro Cisco CISCO Version 623 Secure Firewall Management Center User Guide

CISCO Version 623 Secure Firewall Management Center User Guide

June 15, 2024
Cisco

CISCO Version 623 Secure Firewall Management Center User Guide

Connection and Security Intelligence Events

The following topics describe how to use connection and security events tables.

  • About Connection Events, on page 1
  • Connection and Security Intelligence Event Fields, on page 3
  • Using Connection and Security Intelligence Event Tables, on page 23
  • Viewing the Connection Summary Page, on page 27

About Connection Events

The system can generate logs of the connections its managed devices detect. These logs are called connection events. Connection events include Security Intelligence events (connections blocked by the reputation-based Security Intelligence feature.)

Connection events generally include transactions detected by:

  • Access Control policies
  • SSL policies
  • Prefilter policies (captured by prefilter or tunnel rules)
  • DNS Block lists
  • URL Block lists
  • Network (IP address) Block lists

Settings in rules and policies give you granular control over which connections you log, when you log them, and where you store the data.

For detailed information, see Connection Logging.

Related Topics
About Security Intelligence

Connection vs. Security Intelligence Events

A Security Intelligence events a connection event that is generated whenever a session is blocked or monitored by the reputation-based Security Intelligence feature.

However, for every Security Intelligence event, there is an identical connection event. You can view and analyze Security Intelligence events independently. The system also stores and prunes Security Intelligence events separately.

Note that the system enforces Security Intelligence before more resource- intensive evaluations. When a connection is blocked by Security Intelligence, the resulting event does not contain the information that the system would have gathered from subsequent evaluation, for example, user identity.

Note
 In this guide, information about connection events also pertains to Security Intelligence events, unless otherwise noted.

Inflow Connections

To supplement the connection data gathered by your managed devices, you can use records broadcast by Inflow exporters to generate connection events. This is especially useful if the Inflow exporters are monitoring different networks than those monitored by your managed devices.

The system logs Inflow records as unidirectional end-of-connection events in the Firepower Management Center database. The available information for these connections differs somewhat from connections detected by your access control policy; see Differences between Inflow and Managed Device Data.

Related Topics
Netflow Data in the Firepower System

Connection Summaries (Aggregated Data for Graphs)

The Firepower System aggregates connection data collected over five-minute intervals into connection summaries, which the system uses to generate connection graphs and traffic profiles. Optionally, you can create custom workflows based on connection summary data, which you use in the same way as you use workflows based on individual connection events.

Note that there are no connection summaries specifically for Security Intelligence events, although corresponding end-of-connection events can be aggregated into connection summary data.

To be aggregated, multiple connections must:

  • represent the end of connections
  • have the same source and destination IP addresses, and use the same port on the responder (destination) host
  • use the same protocol (TCP or UDP)
  • use the same application protocol
  • either be detected by the same Firepower System managed device or by the same NetFlow exporter

Each connection summary includes total traffic statistics, as well as the number of connectionism the summary. Because NetFlow exporters generate unidirectional connections, a summary’s connection count is incremented by two for every connection based on NetFlow data.

Note that connection summaries do not contain all of the information associated with the summaries’ aggregated connections. For example, because client information is not used to aggregate connections into connection summaries, summaries do not contain client information

Long-Running Connections

If a monitored session spans two or more five-minute intervals over which connection data is aggregated, the connection is considered a long-running connection. When calculating the number of connections in a connection summary, the system increments the count only for the five-minute interval in which a long-running connection was initiated.

Also, when calculating the number of packets and bytes transmitted by the initiator and responder in along-running connection, the system does not report the number of packets and bytes that were actually transmitted during each five-minute interval. Instead, the system assumes a constant rate of transmission and calculates estimated figures based on the total number of packets and bytes transmitted, the length of the connection, and what portion of the connection occurred during each five-minute interval

Combined Connection Summaries from External Responders

To reduce the space required to store connection data and speed up the rendering of connection graphs, the

system combines connection summaries when:

  • one of the hosts involved in the connection is not on your monitored network
  • other than the IP address of the external host, the connections in the summaries meet the summary aggregation criteria

When viewing connection summaries in the Analysis > Connections submenu pages, and when working with connection graphs, the system displays external instead of an IP address for the non-monitored hosts.

As a consequence of this aggregation, if you attempt to drill down to the table view of connection data (that
is, access data on individual connections) from a connection summary or graph that involves an external responder, the table view contains no information. Connection and Security Intelligence Event Fields

Note
You cannot use the connection/Security Intelligence events Search page to search for events associated with a connection.

Access Control Policy (Syslog: AC Policy)
The access control policy that monitored the connection.

Access Control Rule (Syslog: Access Control Rule Name)
 The access control rule or default action that handled the connection, as well as up to eight Monitor rules matched by that connection.

If the connection matched one Monitor rule, the Firepower Management Center displays the name of the rule that handled the connection, followed by the Monitor rule name. If the connection matched more than one Monitor rule, the number of matching Monitor rules is displayed, for example, Default Action + 2 Monitor Rules.

To display a pop-up window with a list of the first eight Monitor rules matched by the connection, click N Monitor Rules.

Action (Syslog: Access Control Rule Action)
The action associated with the configuration that logged the connection.

For Security Intelligence-monitored connections, the action is that of the first non-Monitor access control rule triggered by the connection, or the default action. Similarly, because traffic matching a Monitor rule is always handled by a subsequent rule or by the default action, the action associated with a connection logged due to a Monitor rule is never Monitor. However, you can still trigger correlation policy violations on connections that match Monitor rules.

Action Description
Allow Connections either allowed by access control explicitly, or allowed

because a user bypassed an interactive block.
Block, Block with reset| Blocked connections, including:

  • tunnels and other connections blocked by the profiler policy
  • connections blocked by Security Intelligence
  • encrypted connections blocked by an SSL policy
  • connections where an exploit was blocked by an intrusion policy
  • connections where a file (including malware) was blocked by a file policy

For connections where the system blocks an intrusion or file, system displays lock, even though you use access control Allow rules to invoke deep inspection.

Fast path| Non-encrypted tunnels and other connections fast pathed by the refilter policy.
Interactive Block, Interactive Block with reset| Connections logged when the system initially blocks a user’s HTTP request using an Interactive Block rule. If the user clicks through the warning page that the system displays, additional connections logged for the session have an action of Allow.
Trust| Connections trusted by access control. The system logs trusted TCP connections differently depending on the device model.
Default Action| Connections handled by the access control policy’s default action.
(Blank/empty)| The connection closed before enough packets had passed to match a rule. This can happen only if a facility other than access control, such as intrusion prevention, causes the connection to be logged.

plication Protocol (Syslog: Application Protocol)
In the Firepower Management Center web interface, this value constrains summaries and graphs.
The application protocol, which represents communications between hosts, detected in the connection.

Application Protocol Category and Tag
Criteria that characterize the application to help you understand the application’s function.

Application Risk
The risk associated with the application traffic detected in the connection: Very High, High, Medium, Low, or Very Low. Each type of application detected in the connection has an associated risk; this field displays the highest of those.

Business Relevance
The business relevance associated with the application traffic detected in the connection: Very High,
High, Medium, Low, or Very Low. Each type of application detected in the connection has an associated business relevance; this field displays the lowest (least relevant) of those.

Client and Client Version (Syslog: Client, ClientVersion)
The client application and version of that client detected in the connection.
If the system cannot identify the specific client used in the connection, the field displays the word “client” appended to the application protocol name to provide a generic name, for example, FTP client.

Client Category and Tag
Criteria that characterize the application to help you understand the application’s function.

Connections
The number of connections in a connection summary.For long-running connections, that is, connections that span multiple connection summary intervals, only the first connection summary interval is incremented. To view meaningful results for searches using the Connections criterion, use a custom workflow that has a connection summary page.

Count
The number of connections that match the information that appears in each row. Note that the Count field appears only after you apply a constraint that creates two or more identical rows. If you create a custom workflow and do not add the Count column to a drill-down page, each connection is listed individually and packets and bytes are not summed.

Destination Port/ICMP Code (Syslog: Separate fields – Dst Port, ICMP Code)
In the Firepower Management Center web interface, these values constrain summaries and graphs.
The port or ICMP code used by the session responder.

Detection Type
This field shows the source of detection of a client.

Device
In the Firepower Management Center web interface, this value constrains summaries and graphs.

The managed device that detected the connection or, for connections generated from Net Flow data, the managed device that processed the data.

DNS Query (Syslog: DNS Query)
The DNS query submitted in a connection to the name server to look up a domain name.

DNS Record Type (Syslog: DNS Record Type)
The type of the DNS resource record used to resolve a DNS query submitted in a connection.

DNS Response (Syslog: DNS Response Type)
The DNS response returned in a connection to the name server when queried.

DNS Sinkhole Name (Syslog: DNS_Sinkhole)
The name of the sinkhole server where the system redirected a connection.

DNS TTL (Syslog: DNS_TTL)
The number of seconds a DNS server caches the DNS resource record.

Domain
The domain of the managed device that detected the connection or, for connections generated from NetFlow data, the domain of the managed device that processed the data. This field is only present if you have ever configured the Firepower Management Center for multitenancy.

Endpoint Location
The IP address of the network device that used ISE to authenticate the user, as identified by ISE.

Endpoint Profile (Syslog: Endpoint Profile)
The user’s endpoint device type, as identified by ISE.

Files (Syslog: File Count)
The number of files (including malware files) detected or blocked in a connection associated with one or more file events.
In the Firepower Management Center web interface, the View Files icon links to a list of files. The number on the icon indicates the number of files (including malware files) detected or blocked in that connection.

First Packet or Last Packet (Syslog: See the Connection Duration field)
The date and time the first or last packet of the session was seen.

HTTP Referrer (Syslog: HTTPReferer)
The HTTP referrer, which represents the referrer of a requested URL for HTTP traffic detected in the connection (such as a website that provided a link to, or imported a link from, another URL).

HTTP Response Code (Syslog: HTTPResponse)
The HTTP status code sent in response to a client’s HTTP request over a connection. It indicates the reason behind successful and failed HTTP request. For more details about HTTP response codes, see RFC 2616 (HTTP), Section 10.

Ingress/Egress Interface (Syslog: IngressInterface, EgressInterface)
The ingress or egressinterface associated with the connection. If your deployment includes an asymmetric routing configuration, the ingress and egress interface may not belong to the same inline pair.

Ingress/Egress Security Zone (Syslog: IngressZone, EgressZone)
The ingress or egress security zone associated with the connection.
For rezoned encapsulated connections, the ingress field displays the tunnel zone you assigned, instead of the original ingress security zone. The egress field is blank

Initiator/Responder Bytes (Syslog: InitiatorBytes, ResponderBytes)
The total number of bytes transmitted by the session initiator or received by the session responder.

Initiator/Responder Continent
When a routable IP is detected, the continent associated with the IP address for the session initiator or responder.

Initiator/Responder Country
When a routable IP is detected, the country associated with the IP address of the session initiator or responder. The system displays an icon of the country’s flag, and the country’s ISO 3166-1 alpha-3 country code. Hover your pointer over the flag icon to view the country’s full name.

Initiator/Responder IP (Syslog: SrcIP, DstIP)
In the Firepower Management Center web interface, these values constrain summaries and graphs.
The IP address (and host name, if DNS resolution is enabled) of the session initiator or responder.
See also A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields, on page 16.
In the Firepower Management Center web interface, the host icon identifies the IP address that caused the connection to be blocked.
For plaintext, passthrough tunnels either blocked or fast pathed by the refilter policy, initiator and responder IP addresses represent the tunnel endpoints—the routed interfaces of the network devices on either side of the tunnel.

Initiator/Responder Packets (Syslog: Initiator Packets, Responder Packets)
The total number of packets transmitted by the session initiator or received by the session responder.

Initiator User (Syslog: User)
In the Firepower Management Center web interface, this value constrains summaries and graphs.
The user logged into the session initiator. If this field is populated with No Authentication, the user traffic:

  • matched an access control policy without an associated identity policy
  • did not match any rules in the identity policy

See also A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields, on page 16.

Intrusion Events (Syslog: IPS Count)
The number of intrusion events, if any, associated with the connection.
In the Firepower Management Center web interface, the View Intrusion Events icon links to a list of events.

IOC
Whether the event triggered an indication of compromise (IOC) against a host involved in the connection.

NetBIOS Domain (Syslog: Net BIOS Domain)
The NetBIOS domain used in the session.

NetFlow SNMP Input/Output
For connections generated from NetFlow data, the interface index for the interface where connection traffic entered or exited the NetFlow exporter.

NetFlow Source/Destination Autonomous System
For connections generated from NetFlow data, the border gateway protocol autonomous system number for the source or destination of traffic in the connection.

NetFlow Source/Destination Prefix
For connections generated from NetFlow data, the source or destination IP address ANDed with the source or destination prefix mask.

NetFlow Source/Destination TOS
For connections generated from NetFlow data, the setting for the type-of- service (TOS) byte when connection traffic entered or exited the NetFlow exporter.

Network Analysis Policy (Syslog: NAP Policy)
The network analysis policy (NAP), if any, associated with the generation of the event.

Original Client Country
The country where the original client IP address belongs. To obtain this value, the system extracts the original client IP address from an X-Forwarded- For (XFF), True-Client-IP, or custom-defined HTTP header, then maps it to the country using the geolocation database (GeoDB). To populate this field, you must enable an access control rule that handles proxied traffic based on its original client.

Original Client IP (Syslog: originalClientSrcIP )
The original client IPaddressfrom an X-Forwarded-For (XFF), True-Client-IP, or custom-defined HTTP header. To populate this field, you must enable an access control rule that handles proxied traffic based on its original client.

Refilter Policy (Syslog: Refilter Policy)
The refilter policy that handled the connection.

Protocol (Syslog: Protocol)

In the Firepower Management Center web interface:

  • This value constrains summaries and graphs.
  • This field is available only as a search field.

The transport protocol used in the connection. To search for a specific protocol, use the name or number protocol as listed in http://www.iana.org/assignments/protocol-numbers.

QoS-Applied Interface
For rate-limited connections, the name of the interface where you applied rate limiting.
QoS-Dropped Initiator/Responder Bytes
The number of bytes dropped from the session initiator or session responder due to rate limiting.
QoS-Dropped Initiator/Responder Packets
The number of packets dropped from the session initiator or session responder due to rate limiting.
QoS Policy
The QoS policy that rate limited the connection.
QoS Rule
The QoS rule that rate limited the connection.

Reason (Syslog: Access Control Rule Reason)
The reason or reasons the connection was logged, in many situations. For a full list, see Connection Event Reasons, on page 16.

Connections with a Reason of IP Block, DNS Block, and URL Block have a threshold of 15 seconds per unique initiator-responder pair. After the system blocks one of those connections, it does not generate connection events for additional blocked connections between those two hosts for the next 15 seconds, regardless of port or protocol.

Referenced Host (Syslog: ReferencedHost)
If the protocol in the connection is HTTP or HTTPS, this field displays the host name that the respective protocol was using.

Security Context (Syslog: Context)
For connections handled by ASA FirePOWER in multiple context mode, the metadata identifying the virtual firewall group through which the traffic passed.

Security Group Tag (Syslog: Security Group)
The Security Group Tag (SGT) attribute of the packet involved in the connection. The SGT specifies the privileges of a traffic source within a trusted network. Security Group Access (a feature of both Cisco Trust Sec and Cisco ISE) applies the attribute as packets enter the network.

Security Intelligence Category (Syslog: URLSI Category, DNSSI Category )
The name of the object that represents or contains the blocked URL, domain, or IP address in the connection. The Security Intelligence category can be the name of a network object or group, a Block list, a custom Security Intelligence list or feed, a TID category related to an observation, or one of the categories in the Intelligence Feed.
In the Firepower Management Center web interface, DNS, Network (IP address), and URL Security Intelligence connection events are combined into a single category field. In syslog messages, those events are specific by type.
For more information about the categories in the Intelligence Feed, see Security Intelligence Categories.

Source Device

In the Firepower Management Center web interface, this value constrains summaries and graphs. The IP address of the NetFlow exporter that broadcast the data used to generate for the connection. If the connection was detected by a managed device, this field displays Firepower.

Source Port/ICMP Type (Syslog: SrcPort, ICMPType)
In the Firepower Management Center web interface, these values constrain summaries and graphs.
The port or ICMP type used by the session initiator.

SSL Actual Action (Syslog: SSL Actual Action)
In the Firepower Management Center web interface, this field is a search field only.
The system displays field values in the SSL Status field on search workflow pages.
The action the system applied to encrypted traffic in the SSL policy

Action Description
Block/Block with reset Represents blocked encrypted connections.
Decrypt (Resign) Represents an outgoing connection decrypted using a re-

signed server certificate.
Decrypt (Replace Key)| Represents an outgoing connection decrypted using a self-signed server certificate with a substituted public key.
Decrypt (Known Key)| Represents an incoming connection decrypted using a known private key.
Default Action| Indicates the connection was handled by the default action.
Do not Decrypt| Represents a connection the system did not decrypt.

SSL Certificate Information (Syslog: SSLCertificate)
In the Firepower Management Center web interface, this field is a search field only.
The information stored on the public key certificate used to encrypt traffic, including:

  • Subject/Issuer Common Name
  • Subject/Issuer Organization
  • Subject/Issuer Organization Unit
  • Not Valid Before/After
  • Serial Number
  • Certificate Fingerprint
  • Public Key Fingerprint

SSL Certificate Status (Syslog: SSL Server Cert Status)
This applies only if you configured a Certificate Status SSL rule condition. If encrypted traffic matches an SSL rule, this field displays one or more of the following server certificate status values:

  • Self Signed
  • Valid
  • Invalid Signature
  • Invalid Issuer
  • Expired
  • Unknown
  • Not Valid Yet
  • Revoked

If unencryptable traffic matches an SSL rule, this field displays Not Checked.

SSL Cipher Suite (Syslog: SSSL Cipher Suite)
A macro value representing a cipher suite used to encrypt the connection. See www.iana.org/assignments/tls-parameters/tls- parameters.xhtml for cipher suite value designations.

SSL Encryption applied to the connection
This field is available only as a search field in the Firepower Management Center web interface.
Enter yes or no in the SSL search field to view TLS/SSL-encrypted or non- encrypted connections.

SSL Expected Action (Syslog: SSL Expected Action)
In the Firepower Management Center web interface, this field is a search field only.
The action the system expected to apply to encrypted traffic, given the SSL rules in effect.
Enter any of the values listed for SSL Actual Action.

SSL Failure Reason (Syslog: SSL Flow Status)
The reason the system failed to decrypt encrypted traffic:

  • Unknown
  • No Match
  • Success
  • Uncoached Session
  • Unknown Cipher Suite
  • Unsupported Cipher Suite
  • Unsupported SSL Version
  • SSL Compression Used
  • Session Undecryptable in Passive Mode
  • Handshake Error
  • Decryption Error
  • Pending Server Name Category Lookup
  • Pending Common Name Category Lookup
  • Internal Error
  • Network Parameters Unavailable
  • Invalid Server Certificate Handle
  • Server Certificate Fingerprint Unavailable
  • Cannot Cache Subject DN
  • Cannot Cache Issuer DN
  • Unknown SSL Version
  • External Certificate List Unavailable
  • External Certificate Fingerprint Unavailable
  • Internal Certificate List Invalid
  • Internal Certificate List Unavailable
  • Internal Certificate Unavailable
  • Internal Certificate Fingerprint Unavailable
  • Server Certificate Validation Unavailable
  • Server Certificate Validation Failure
  • Invalid Action

Field values are displayed in the SSL Status field on the search workflow pages.

SSL Flow Error

The error name and hexadecimal code if an error occurred during the TLS/SSL session; Success if no error occurred.

SSL Flow Flags

The first ten debugging level flags for an encrypted connection. On a workflow page, to view all flags, click the ellipsis (…).
The message OVER_SUBSCRIBED is displayed if your managed device is overloaded. For more information, see Troubleshoot TLS/SSL Oversubscription.

SSL Flow Messages

The keywords below indicate encrypted traffic is associated with the specified message type exchanged
between client and server during the TLS/SSL handshake. See http://tools.ietf.org/html/rfc5246 for more information.

  • HELLO_REQUEST
  • CLIENT_ALERT
  • SERVER_ALERT
  • CLIENT_HELLO
  • SERVER_HELLO
  • SERVER_CERTIFICATE
  • SERVER_KEY_EXCHANGE
  • CERTIFICATE_REQUEST
  • SERVER_HELLO_DONE
  • CLIENT_CERTIFICATE
  • CLIENT_KEY_EXCHANGE
  • CERTIFICATE_VERIFY
  • CLIENT_CHANGE_CIPHER_SPEC
  • CLIENT_FINISHED
  • SERVER_CHANGE_CIPHER_SPEC
  • SERVER_FINISHED
  • NEW_SESSION_TICKET
  • HANDSHAKE_OTHER
  • APP_DATA_FROM_CLIENT
  • APP_DATA_FROM_SERVER

The message HEARTBEAT is displayed if applications are using the TLS/SSL heartbeat extension. For more information, see About TLS Heartbeat.

SSL Policy (Syslog: SSL Policy)
The SSL policy that handled the connection.

SSL Rule (Syslog: SSL Rule Name)
The SSL rule or default action that handled the connection, as well as the first Monitor rule matched by that connection. If the connection matched a Monitor rule, the field displays the name of the rule that handled the connection, followed by the Monitor rule name.

SSL Server Name (Syslog Only)
This field exists ONLY as a syslog field; it does not exist in the Firepower Management Center web interface.
Hostname of the server with which the client established an encrypted connection.

SSL Session ID (Syslog: SSL Session)
The hexadecimal Session ID negotiated between the client and server during the TLS/SSL handshake.

SSL Status

The action associated with the SSL Actual Action (SSL rule, default action, or unencryptable traffic action) that logged the encrypted connection. The Lock icon links to SSL certificate details. If the certificate is unavailable (for example, for connections blocked due to TLS/SSL handshake error), the lock icon is dimmed.

If the system fails to decrypt an encrypted connection, it displays the SSL Actual Action(undecyl table traffic action) taken, as well as the SSL Failure Reason. For example, if the system detects traffic encrypted with an unknown cipher suite and allows it without further inspection, this field displays Do Not Decrypt (Unknown Cipher Suite).

When searching this field, enter one or more of the SSL Actual Action and SSL Failure Reason values to view encrypted traffic the system handled or failed to decrypt.

SSL Subject/Issuer Country
This field is available only in the Firepower Management Center web interface, and only as a search field.
A two-character ISO 3166-1 alpha-2 country code for the subject or issuer country associated with the encryption certificate.

SSL Ticket ID (Syslog: SSL TicketID)
A hexadecimal hash value of the session ticket information sent during the TLS/SSL handshake.

SSLURLCategory (Syslog Only)
URL categories for the URL visited in the encrypted connection.
This field exists ONLY as a syslog field; in the Firepower Management Center web interface, values in this field are included in the URL Category column. See also URL.

SSL Version (Syslog: SSL Version)
The TLS/SSL protocol version used to encrypt the connection:

  • Unknown
  • SSLv2.0
  • SSLv3.0
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2

TCP Flags (Syslog: TCP Flags)
For connections generated from Net Flow data, the TCP flags detected in the connection.
When searching this field, enter a list of comma-separated TCP flags to view all connections that have at least one of those flags.

Time
The ending time of the five-minute interval that the system used to aggregate connectionism a connection summary. This field is not searchable.

TLS Fingerprint Process Name
Process or client in the TLS client hello packet that was analyzed by the encrypted visibility engine.

TLS Fingerprint Process Confidence Score
The confidence value in the range 0-100% that the encrypted visibility engine has detected the right process. For example, if the process name is Firefox and if the confidence score is 80%, it means that the engine is 80% confident that the process it has detected is Firefox.

TLS Fingerprint Malware Confidence
The probability level that the process detected by the encrypted visibility engine contains malware. This field indicates the bands (Very High, High, Medium, Low, or Very Low) based on the value in the malware confidence score.

TLS Fingerprint Malware Confidence Score
The confidence value in the range 0-100% that the process detected by the encrypted visibility engine contains malware. If the malware confidence score is very high, say 90%, then the TLS Fingerprint Process Name field will display “Malware.”

Total Packets
This field is available only as a search field.
The total number of packets transmitted in the connection.

Traffic (KB)
This field is available only as a search field.
The total amount of data transmitted in the connection, in kilobytes.

Tunnel/Prefilter Rule (Syslog: Tunnel or Refilter Rule)
The tunnel rule, prefilter rule, or prefilter policy default action that handled the connection.
URL, URL Category, and URL Reputation (Syslog: URL, URL Category and SSLU RL Category, URL Reputation) The URL requested by the monitored host during the session and its associated category and reputation, if available.

If the system identifies or blocks a TLS/SSL application, the requested URL is in encrypted traffic, so the system identifies the traffic based on an SSL certificate. For TLS/SSL applications, therefore, this field indicates the common name contained in the certificate. See also SSLURLCategory, above.

User Agent (Syslog: UserAgent)
The user-agent string application information extracted from HTTP traffic detected in the connection.

VLAN ID
The innermost VLAN ID associated with the packet that triggered the connection.

AWeb Application (Syslog: Web Application)
The web application, which represents the content or requested URL for HTTP traffic detected in the connection.

If the web application does not match the URL for the event, the traffic is probably referred traffic, such as advertisement traffic. If the system detectsreferred traffic, itstoresthe referring application (if available) and lists that application as the web application.

If the system cannot identify the specific web application in HTTP traffic, this field displays Web Browsing.

Web Application Category and Tag
Criteria that characterize the application to help you understand the application’s function.

About Connection and Security Intelligence Event Fields

In the Firepower Management Center web interface, you can view and search connection and security intelligence events using tabular and graphical workflows under the Analysis > Connections submenus

Note
 For each Security Intelligence event, there is an identical, separately stored connection event. All Security Intelligence events have a populated Security Intelligence Category field.

The information available for any individual event can vary depending on how, why, and when the system logged the connection.

Search Constraints

Fields marked with an asterisk (*) on search pages constrain connection graphs and connection summaries. Because connection graphs are based on connection summaries, the same criteria that constrain connection summaries also constrain connection graphs. If you search connection summaries using invalid search constraints and view your results using a connection summary page in a custom workflow, the invalid constraints are labeled as not applicable (N/A) and are marked with a strikethrough.

Syslog Fields

Most fields appear both in the Firepower Management Center web interface and as syslog messages. Fields without a listed syslog equivalent are not available in syslog messages. A few fields are syslog-only, as noted, and few others are separate fields in syslog messages but are consolidated fields in the web interface or vice-versa.

A Note About Initiator/Responder, Source/Destination, and Sender/Receiver

Fields

Table 1: Comparison of Terms

Fields Event Type Description
Initiator/Responder Connection Initiator/responder of the connection. The

initiator of a connection is not necessarily the same as the source of an intrusion or the sender of a malware file.
Source/Destination| Intrusion| Source/destination of the attack. The source of an intrusion event can be the initiator or the responder of the connection.
Sender/Receiver(Sending…,Receiving…)| File, Malware| Sender/receiver of a file or malware. The sender of a file is not necessarily the initiator of the connection, as a file may be uploaded or downloaded.

Connection Event Reasons

The Reason field in a connection event displays the reason or reasons the connection was logged, in the following situations:

Reason Description
Content Restriction The system modified the packet to enforce content

restrictions related to either the Safe Search or YouTube EDU feature.
DNS Block| The system denied the connection without inspection, based on the domain name and Security Intelligence data. A reason of DNS Block is paired with an action of Block, Domain not found, or Sinkhole, depending on the DNS rule action.
DNS Monitor| The system would have denied the connection based on the domain name and Security Intelligence data, but you configured the system to monitor, rather than deny, the connection.
File Block| The connection contained a file or malware file that the system prevented from being transmitted. A reason of File Block is always paired with an action of Block.
File Custom Detection| The connection contained a file on the custom detection list that the system prevented from being transmitted.
File Monitor| The system detected a particular type of file in the connection.
File Resume Allow| File transmission was originally blocked by a Block Files or Block Malware file rule. After a new access control policy allowing the file was deployed, the HTTP session automatically resumed. This reason only appears in inline deployments.
File Resume Block| File transmission was originally allowed by a Detect Files or Malware Cloud Lookup file rule. After a new access control policy blocking the file was deployed, the HTTP session automatically stopped. This reason only appears in inline deployments.
Intelligent App Bypass| The Intelligent Application Bypass (IAB) mode:•  If the action is Trust, IAB was in bypass mode. Matching traffic passed without further inspection.•  If the action is Allow, IAB was in test mode. Matching traffic was available for further inspection.
Intrusion Block| The system blocked or would have blocked an exploit (intrusion policy violation) detected in the connection. A reason of Intrusion Block is paired with an action of Block for blocked exploits and Allow for would-have-blocked exploits.
Intrusion Monitor| The system detected, but did not block, an exploit detected in the connection. This occurs when the state of the triggered intrusion rule is set to Generate Events.
IP Block| The system denied the connection without inspection, based on the IP address and Security Intelligence data. A reason of IP Block is always paired with an action of Block.
IP Monitor| The system would have denied the connection based on the IP address and Security Intelligence data, but you configured the system to monitor, rather than deny, the connection.
SSL Block| The system blocked an encrypted connection based on the TLS/SSL inspection configuration. A reason of SSL Block is always paired with an action of Block.
Reason| Description
URL Block| The system denied the connection without inspection, based on the URL and Security Intelligence data. A reason of URL Block is always paired with an action of Block.
URL Monitor| The system would have denied the connection based on the URL and Security intelligence data, but you configured the system to monitor, rather than deny, the connection.
User Bypass| The system initially blocked a user’s HTTP request, but the user clicked through awarding page to view the site. A reason of User Bypass is always paired with an action of Allow.

Requirements for Populating Connection Event Fields

The information available for a connection event, Security Intelligence event, or connection summary depends on several factors.

Appliance Model and License
Many features require that you enable specific licensed capabilities on target devices, and many features are only available on some models.
For example, NGIPSv devices do not support TLS/SSL inspection. They cannot inspect encrypted traffic; logged connection events do not contain information about encrypted connections.

Traffic Characteristics
The system only reports information present (and detectable) in network traffic. For example, there could be no user associated with an initiator host, or no referenced host detected in a connection where the protocol is not DNS, HTTP, or HTTPS.

Origin/Detection Method: Traffic-Based Detection vs NetFlow
With the exception of NetFlow-only fields, the information available in NetFlow records is more limited than the information generated by traffic- based detection; see Differences between NetFlow and Managed Device Data.

Evaluation Stage
Each type of traffic inspection and control occurs where it makes the most sense for maximum flexibility and performance.
For example, the system enforces Security Intelligence before more resource- intensive evaluations. When a connection is blocked by Security Intelligence, the resulting event does not contain the information that the system would have gathered from subsequent evaluation, for example, user identity.

Logging Method: Beginning or End of Connection
When the system detects a connection, whether you can log it at its beginning or its end (or both) depends on how you configure the system to detect and handle it.

Beginning-of-connection events do not have information that must be determined by examining traffic over the duration of the session (for example, the total amount of data transmitted or the timestamp of the last packet in the connection). Beginning-of-connection events are also not guaranteed to have information about application or URL traffic in the session, and do not contain any details about the session’s encryption. Beginning-of-connection logging is usually the only option for blocked connections.

Connection Event Type: Individual vs Summary

Connection summaries do not contain all of the information associated with their aggregated connections.
For example, because client information is not used to aggregate connections into connection summaries,
summaries do not contain client information.

Keep in mind that connection graphs are based on connection summary data, which use only end-of-connection
logs. If your system is configured to log only beginning-of-connection data, connection graphs and connection summary event views contain no data.

Other Configurations “

Other configurations that affect connection logging include, but are not limited to:

  • ISE-related fields are populated only if you configure ISE, in connections associated with users who authenticate via an Active Directory domain controller. Connection events do not contain ISE data for users who authenticate via LDAP, RADIUS, or RSA domain controllers.
  • The Security Group Tag field is populated only if you configure ISE as an identity source or add custom SGT rule conditions.
  • Prefilter-related fields (including tunnel zone information in security zone fields) are populated only in connections handled by a prefilter policy.
  • TLS/SSL-related fields are populated only in encrypted connections handled by an SSL policy. You can view the values of the fields using a Do Not Decrypt rule action if you do not need to decrypt the traffic.
  • File information fields are populated only in connections logged by access control rules associated with file policies.
  • Intrusion information fields are populated only in connections logged by access control rules either associated with intrusion policies or using the default action.
  • QoS-related fields are populated only in connections subject to rate limiting.
  • The Reason field is populated only in specific situations, such as when a user bypasses an Interactive Block configuration.
  • The Domain field is only present if you have ever configured the Firepower Management Center for multitenancy.
  • An advanced setting in the access control policy controls the number of characters the system stores in the connection log for each URL requested by monitored hosts in HTTP sessions. If you use this setting to disable URL logging, the system does not display individual URLs in the connection log, although you can still view category and reputation data, if it exists.

Related Topics
Differences between NetFlow and Managed Device Data

Information Available in Connection Event Fields

The table in this topic indicates when the system can populate connection and Security Intelligence fields.

The columns in the table represent the following event types:

  • Origin: Direct—Events that represent connections detected and handled by a managed device.
  • Origin: NetFlow—Events that represent connections exported by a NetFlow exporter.
  • Logging: Start—Events that represent connections logged at their beginning.
  • Logging: End—Events that represent connections logged at their end.

A “yes” in the table does not mean that the system must populate a connection event field, rather, that it can. The system only reports information present (and detectable) in network traffic. For example, TLS/SSL-related fields are populated only for records of encrypted connections handled by an SSL policy.

Connection Event Field| Origin: Direct| Origin: NetFlow| Logging: Start| Logging: End
---|---|---|---|---
Access Control Policy| yes| no| yes| yes
Access Control Rule| yes| no| yes| yes
Action| yes| no| yes| yes
Application Protocol| yes| yes| if available| yes
Application Protocol Category & Tag| yes| no| if available| yes
Application Risk| yes| no| if available| yes
Business Relevance| yes| no| if available| yes
Client| yes| no| if available| yes
Client Category & Tag| yes| no| if available| yes
Client Version| yes| no| if available| yes
Connections| yes| yes| no| yes
Count| yes| yes| yes| yes
Destination Port/ICMP Type| yes| yes| yes| yes
Device| yes| yes| yes| yes
Domain| yes| yes| yes| yes
DNS Query| yes| no| yes| yes
DNS Record Type| yes| no| yes| yes
DNS Response| yes| no| yes| yes
DNS Sinkhole Name| yes| no| yes| yes
Connection Event Field| Origin: Direct| Origin: Net Flow| Logging: Start| Logging: End
DNS TTL| yes| no| yes| yes
Egress Interface| yes| no| yes| yes
Egress Security Zone| yes| no| yes| yes
Endpoint Location| yes| no| yes| yes
Endpoint Profile| yes| no| yes| yes
Files| yes| no| no| yes
First Packet| yes| yes| yes| yes
HTTP Referrer| yes| no| no| yes
HTTP Response Code| yes| no| yes| yes
Ingress Interface| yes| no| yes| yes
Ingress Security Zone| yes| no| yes| yes
Initiator Bytes| yes| yes| not useful| yes
Initiator Country| yes| no| yes| yes
Initiator IP| yes| yes| yes| yes
Initiator Packets| yes| yes| not useful| yes
Initiator User| yes| yes| yes| yes
Intrusion Events| yes| no| no| yes
Intrusion Policy| yes| no| yes| yes
IOC (Indication of Compromise)| yes| no| yes| yes
Last Packet| yes| yes| no| yes
NetBIOS Domain| yes| no| yes| yes
NetFlow Source/Destination Autonomous System| no| yes| no| yes
NetFlow Source/Destination Prefix| no| yes| no| yes
NetFlow Source/Destination TOS| no| yes| no| yes
NetFlow SNMP Input/Output| no| yes| no| yes
Network Analysis Policy| yes| no| yes| yes
Original Client Country| yes| no| yes| yes
Connection Event Field| Origin: Direct| Origin: NetFlow| Logging: Start| Logging: End
Original Client IP| yes| no| yes| yes
Prefilter Policy| yes| no| yes| yes
QoS-Applied Interface| yes| no| no| yes
QoS-Dropped Initiator Bytes| yes| no| no| yes
QoS-Dropped Initiator Packets| yes| no| no| yes
QoS-Dropped Responder Bytes| yes| no| no| yes
QoS-Dropped Responder Packets| yes| no| no| yes
QoS Policy| yes| no| no| yes
QoS Rule| yes| no| no| yes
Reason| yes| no| yes| yes
Referenced Host| yes| no| no| yes
Responder Bytes| yes| yes| not useful| yes
Responder Country| yes| no| yes| yes
Responder IP| yes| yes| yes| yes
Responder Packets| yes| yes| not useful| yes
Security Context (ASA only)| yes| no| yes| yes
Security Group Tag (SGT)| yes| no| yes| yes
Security Intelligence Category| yes| no| yes| yes
Source Device| yes| yes| yes| yes
Source Port/ICMP Type| yes| yes| yes| yes
SSL Certificate Status| yes| no| no| yes
SSL Cipher Suite| yes| no| no| yes
SSL Flow Error| yes| no| no| yes
SSL Flow Flags| yes| no| no| yes
SSL Flow Messages| yes| no| no| yes
SSL Policy| yes| no| no| yes
SSL Rule| yes| no| no| yes
SSL Session ID| yes| no| no| yes
Connection Event Field| Origin: Direct| Origin: NetFlow| Logging: Start| Logging: End
SSL Status| yes| no| no| yes
SSL Version| yes| no| no| yes
TCP Flags| no| yes| no| yes
Time| yes| yes| no| yes
Tunnel/Prefilter Rule| yes| no| yes| yes
URL| yes| no| if available| yes
URL Category| yes| no| if available| yes
URL Reputation| yes| no| if available| yes
User Agent| yes| no| no| yes
VLAN ID| yes| no| yes| yes
Web Application| yes| no| if available| yes
Web Application Category & Tag| yes| no| if available| yes

Using Connection and Security Intelligence Event Tables

You can use the Firepower Management Center to view a table of connection or Security Intelligence events.
Then, you can manipulate the event view depending on the information you are looking for.

In a multidomain deployment, you can view data for the current domain and for any descendant domains.
You cannot view data from higher level or sibling domains.

The page you see when you access connection graphs differs depending on the workflow you use. You can use a predefined workflow, which terminates in a table view of events. You can also create a custom workflow that displays only the information that matches your specific needs.

When you are using a connection or Security Intelligence workflow table, you can perform many common actions.

Note that when you constrain connection events on a drill-down page, the packets and bytes from identical events are summed. However, if you are using a custom workflow and did not add a Count column to a drill-down page, the events are listed individually and packets and bytes are not summed.

Note that Connection Events table view displays 1 of Many instead of how many pages of events are available if your system generates more than 25 connection events.

Before you begin
You must be an Admin or Security Analyst user to perform this task.

Procedure

Step 1 Choose either of the following:

  • Analysis > Connections > Events (for connection events)
  • Analysis > Connections > Security Intelligence Events

Note
 If a connection graph appears instead of a table, click (switch workflow) by the workflow title, and choose the predefined Connection Events workflow, or a custom workflow. Note that all predefined connection event workflows—including connection graphs—terminate in a table view of connections.

Step 2 You have the following choices:

  • Time Range — To adjust the time range, which is useful if no events appear, see Changing the Time Window.
  • Field Names — To learn more about the contents of the columnist the table, see Connection and Security Intelligence Event Fields, on page 3.

Tip
In the table view of events, several fields are hidden by default, including the Category and Tag fields for each type of application, NetFlow-related fields, TLS/SSL-related fields, and others. To show a hidden field in an event view, expand the search constraints, then click the field name under Disabled Columns.

  • Host Profile — To view the host profile for an IP address, click Host Profile or, for hosts with active indications of compromise (IOC) tags, Compromised Host that appears next to the IP address.
  • User Profile — To view user identity information, click the user icon that appears next to the User Identity, or for users associated with IOCs,Red User.
  • Files and Malware —To view the files, including malware, detected or blocked in a connection, click View Files and proceed as described in Viewing Files and Malware Detected in a Connection, on page 25.
  • Intrusion Events — To view the intrusion events associated with a connection, as well as their priority and impact, click Intrusion Events in the Intrusion Events column and proceed as described in Viewing Intrusion Events Associated with a Connection, on page 26.

To quickly view intrusion, file, or malware events associated with one or more connections, check the connections using the check boxes in the table, then choose the appropriate option from the Jump to drop-down list. Note that because they are blocked before access control rule evaluation, there can be no files or intrusions associated with connections blocked by Security Intelligence. You can only see this information for a Security Intelligence event if you configured Security Intelligence to monitor, rather than block, connections.

Tip

  • Certificate — To view details about an available certificate used to encrypt a connection, click Enabled Lock in the SSL Status column.
  • Constrain — To constrain the columns that appear, click Close ( ) in the column heading that you want to hide. In the pop-up window that appears, click Apply.

Tip
 To hide or show other columns, check or clear the appropriate check boxes before you click Apply. To add a disabled column back to the view, expand the search constraints, then click the column name under Disabled Columns.

  • Delete Events — To delete some or all items in the current constrained view, check the check boxes next to items you want to delete and click Delete or click Delete All.

  • Drill Down — See Using Drill-Down Pages.
    Tip
    To drill down using one of several Monitor rules that matched a logged connection, click an N Monitor Rules value. In the pop-up window that appears, click the Monitor rule you want to use to constrain connection events.

  • Navigate This Page — See Workflow Page Traversal Tools.

  • Navigate Between Pages — To navigate between pages in the current workflow, keeping the current constraints, click the appropriate page link at the top left of the workflow page.

  • Navigate Between Event Views — To navigate to other event views to view associated events, click Jump to and choose the event view from the drop-down list.

  • Sort — To sort data in a workflow, click the column title. Click the column title again to reverse the sort order.

Related Topics
Overview : Workflows
Configuring Event View Settings

Viewing Files and Malware Detected in a Connection

If you associate a file policy with one or more access control rules, the system can detect files (including malware) in matching traffic. Use the Analysis > Connections menu options to see the file events, if any, associated with the connections logged by those rules. Instead of a list of files, the Firepower Management Center displays view files ( ) in the Files column. The number on the view files indicates the number of files (including malware files) detected or blocked in that connection.

Not all file and malware events are associated with connections. Specifically:

  • Malware events detected by AMP for Endpoints (“endpoint-based malware events” ) are not associated with connections. Those events are imported from your AMP for Endpoints deployment.
  • Many IMAP-capable email clients use a single IMAP session, which ends only when the user exits the application. Although long-running connections are logged by the system, files downloaded in the session are not associated with the connection until the session ends.

In a multidomain deployment, you can view data for the current domain and for any descendant domains.
You cannot view data from higher level or sibling domains.

Before you begin
You must be an Admin or Security Analyst user to perform this task

Step 1 Go to Analysis > Connections and choose the relevant option.
Step 2 While using a connection event table, click View Files.
A pop-up window appears with a list of the files detected in the connection as well as their types, and if applicable, their malware dispositions.

Step 3 You have the following choices:

  • View — To view a table view of file events, click a File’s View.
  • View — To view details in a table view of malware events, click a Malware File’s View.
  • Track — To track the file’s transmission through your network, click a File’s Trajectory.
  • View — To view details on all of the connection’s detected file or malware events detected by AMP for

Networks (“network-based malware events”), click View File Events or View Malware Events.

Viewing Intrusion Events Associated with a Connection

If you associate an intrusion policy with an access control rule or default action, the system can detect exploits

in matching traffic. Use the Analysis > Connections menu options to see the intrusion events, if any, associated
with logged connections, as well as their priority and impact.

In a multidomain deployment, you can view data for the current domain and for any descendant domains.
You cannot view data from higher level or sibling domains.

Before you begin
You must be an Admin or Security Analyst user to perform this task.

Procedure

Step 1 Go to Analysis > Connections and choose the relevant option.
Step 2 While using a connection event table, click Intrusion Events in the Intrusion Events column.
Step 3 In the pop-up window that appears, you have the following options:

  • Click a Listed Event’s View to view details in the packet view.
  • Click View Intrusion Events to view details on all of the connection’s associated intrusion events.

Encrypted Connection Certificate Details

You can use options under the Analysis > Connections menu to display the public key certificate (if available) used to encrypt a connection handled by the system. The certificate contains the following information.

Table 2: Encrypted Connection Certificate Details

Attribute Description
Subject/Issuer Common Name The host and domain name of the certificate

subject or certificate issuer.
Subject/Issuer Organization| The organization of the certificate subject or certificate issuer.
Subject/Issuer Organization Unit| The organizational unit of the certificate subject or certificate issuer.
Not Valid Before/After| The dates when the certificate is valid.
Serial Number| The serial number assigned by the issuing CA.
Certificate Fingerprint| The SHA hash value used to authenticate the certificate.
Public Key Fingerprint| The SHA hash value used to authenticate the public key contained within the certificate.

Viewing the Connection Summary Page

The Connection Summary page is visible only to users who have custom roles that are restricted by searches on connection events and who have been granted explicit menu-based access to the Connection Summary page. This page provides graphs of the activity on your monitored network organized by different criteria.
For example, the Connections over Time graph displays the total number of connections on your monitored network over the interval that you choose.

You can perform almost all the same actions on connection summary graphsthat you can perform on connection graphs. However, because the graphs on the Connection Summary page are based on aggregated data, you cannot examine the individual connection events on which the graphs are based. In other words, you cannot drill down to a connection data table view from a connection summary graph.

In a multidomain deployment, you can view data for the current domain and for any descendant domains.
You cannot view data from higher level or sibling domains.

Procedure

Step 1 Choose Overview > Summary > Connection Summary.
Step 2 From the Select Device list, choose the device whose summary you want to view, or choose All to view a
summary of all devices.
Step 3 To manipulate and analyze the connection graphs, proceed as described in Using Connection Event Graphs.

Tip
 To detach a connection graph so you can perform further analysis without affecting the default time
range, click View

Related Topics
Enable User Role Escalation

References

Read User Manual Online (PDF format)

Loading......

Download This Manual (PDF format)

Download this manual  >>

Cisco User Manuals

cisco Configuring Console Access Instructions
Cisco
cisco HyperFlex HX-Series Data Platform for HCI Instructions
Cisco
CISCO Meraki Cloud Monitoring for Catalyst User Guide
Cisco
CISCO Cloud-Delivered Catalyst SD-WAN Platform User Guide
Cisco
CISCO 60079011 Wi Fi 6 E Access Point User Manual
Cisco
CISCO IP Phone o Through the Normal Startup Process User Guide
Cisco
CISCO Install Enterprise NFVIS Using USB User Guide
Cisco
CISCO NCS 1014 Network Convergence System 1014 Instruction Manual
Cisco
CISCO Set Up Webex User Guide
Cisco
CISCO Webex App User Guide
Cisco
CISCO DNA Center Configure Telemetry User Guide
Cisco
802.11 Parameters for Cisco Access Points User Guide
Cisco
CISCO Nexus 3000 Series NX-OS Verified Scalability Guide Release 9.3 Instruction Manual Product Information
Cisco
CISCO P-LTE-450 Cellular Pluggable Interface Module Configuration User Guide
Cisco
CISCO Nexus 3600 Series NX-OS Verified Scalability Guide Release 9.3 User Guide
Cisco
CISCO Nexus 3000 SeriesNX-OS Verified Scalability Guide Release 9.3 User Guide
Cisco
CISCO Nexus 3000 Series NX-OS Verified Scalability Guide User Guide
Cisco
CISCO Nexus 9804 NX-OS Mode Switch Hardware Installation Guide
Cisco
CISCO Nexus 3548 Series NX-OS Verified Scalability Instructions
Cisco
CISCO 9.0SU Emergency Responder User Guide
Cisco

Related Manuals

AMAZFIT W1821US1N Bip Lite Smartwatch User Manual
Amazfit
IKEA AA-1801540-4 ELVARLI Wardrobe Combination Instructions
Ikea
FISHER PAYKEL EB24 Coffee Maker Steam Oven Speed Oven User Guide
Fisher & Paykel
Danfoss ENDAT SSI VACON NXP Air Cooled Installation Guide
Danfoss
HEYLO PF1400 PowerFilter Air Filter User Manual
HEYLO
COSTWAY BC10021 3 in 1 Foldable Baby Walker User Guide
COSTWAY
LED LBI Fixtures Retrofit Kit Instruction Manual
LED
BEGA 50961.2 Table Lamp for Indoor Use Instruction Manual
BEGA
PANHANS Digital Cross-Cut Fence for Sliding Table Saws 680 User Manual
PANHANS
XEGA S204G 3G-4G LTE Surveillance Camera User Manual
XEGA
GE In-Wall Smart Outlet 14286/ZW1001 Manual
GE
finori VNA53A Buffet Cabinet Instruction Manual
finori
realme RMA207 Watch S Smart Watch User Manual
realme
ELATEC TWN4 Multitech 2 LEGIC LF HF RFID Reader User Manual
ELATEC
IKEA APTITLIG Chopping Board User Guide
Ikea
bESTRON ACM800STE Coffee Machine Instruction Manual
bESTRON
KitchenAid KMBP100ESS Built-In Microwave Oven with Convection Cooking Owner’s Manual
KitchenAid
NAPOLEON TLV62 High Definition Oak Logs User Manual
Napoleon
CREATIVE MF8190 Sound Blaster Roar 2 User Guide
Creative
Connecting the Plantronics CS540 Headset to a Desk Phone with an EHS Cable
Nextiva
Lucid HEARING APPLE iOS and iPadOS Hearing App User Guide
Lucid HEARING
TENMARS YF-1002 Digital Multimeter User Manual
TENMARS
ROTEL A11 Tribute Stereo Integrated Amplifier Owner’s Manual
ROTEL
Dimplex DCFF40CH 40cm HV Floor Fan Instruction Manual
Dimplex
DEEPCOOL MACUBE 310 ATX Mid Tower Case User Guide
DEEPCOOL
Afoxsos HDMX1711 6 ft. Aluminum Flagpole Bracket Tangle Free Spinning Flagpole Hardware Instructions
Afoxsos
SEALEY SAC04 Air Cooler/Purifier/Humidifier Instruction Manual
SEALEY
SUMKEA 48×36 Inch Luxury LED Bathroom Mirror Instructions
SumKea
Cary Audio’s AiOS User Guide
CARY AUDIO
How do I insert or remove the microSD™ card in my Coolpad?
Coolpad
Contact Us   Privacy Policy   14.75ms