Health Modules
Health modules, or health tests, test for the criteria you specify in a health policy.
Module |
Appliances |
Description |
||
---|---|---|---|---|
AMP Connection Status |
FTD |
The module alerts if the FTD cannot connect to the AMP cloud or Cisco AMP Private Cloud after an initial successful connection, or if the private cloud cannot contact the public AMP cloud. Disabled by default. |
||
AMP for Endpoints Status |
CDO |
The module alerts if the CDO cannot connect to the AMP cloud or Cisco AMP Private Cloud after an initial successful connection, or if the private cloud cannot contact the public AMP cloud. It also alerts if you deregister an AMP cloud connection using the AMP for Endpoints management console. |
||
AMP for Firepower Status |
CDO |
This module alerts if:
If your CDO loses connectivity to the Internet, the system may take up to 30 minutes to generate a health alert. |
||
AMP Threat Grid Connectivity |
FTD |
The module alerts if the FTD cannot connect to the AMP Threat Grid cloud after an initial successful connection. |
||
Appliance Heartbeat |
CDO |
This module determines if an appliance heartbeat is being heard from the appliance and alerts based on the appliance heartbeat status. |
||
ASP Drop |
FTD |
This module monitors the connections dropped by the data plane accelerated security path. |
||
Automatic Application Bypass |
FTD |
This module monitors bypassed detection applications |
||
Event Backlog Status |
CDO |
This module alerts if the backlog of event data awaiting transmission from the device to the CDO has grown continuously for more than 30 minutes. To reduce the backlog, evaluate your bandwidth and consider logging fewer events. |
||
CPU Usage (per core) |
CDO and FTD |
This module checks that the CPU usage on
all of the cores is not overloaded and alerts when CPU usage
exceeds the percentages configured for the module. The
Warning Threshold
% default value is |
||
CPU Usage Data Plane |
FTD |
This module checks that the average CPU
usage of all data plane processes on the device is not
overloaded and alerts when CPU usage exceeds the percentages
configured for the module. The Warning Threshold % default value is |
||
CPU Usage Snort |
FTD |
This module checks that the average CPU
usage of the Snort processes on the device is not overloaded and
alerts when CPU usage exceeds the percentages configured for the
module. The Warning Threshold
% default value is |
||
CPU Usage System |
FTD |
This module checks that the average CPU
usage of all system processes on the device is not overloaded
and alerts when CPU usage exceeds the percentages configured for
the module. The Warning
Threshold % default value is |
||
Network Card Reset |
Sensor |
This module checks for network cards which have restarted due to hardware failure and alerts when a reset occurs. |
||
Chassis Environment Status |
FTD |
This module monitors chassis parameters such as fan speed and
chassis temperature, and enables you to set a warning threshold
and critical threshold for temperature. The Critical Chassis Temperature
(Celsius) default value is |
||
Database Size |
CDO |
This module checks the size of the configuration database and alerts when the size exceeds the values (in gigabytes) configured for the module. |
||
Configuration Resource Utilization |
FTD |
This module alerts if the size of your deployed configurations puts a device at risk of running out of memory. The alert shows you how much memory your configurations require, and by how much this exceeds the available memory. If this happens, re-evaluate your configurations. Most often you can reduce the number or complexity of access control rules or intrusion policies. Snort Memory Allocation
|
||
Connection Statistics |
FTD |
This module monitors the connection statistics and NAT translation counts. |
||
Critical Process Statistics |
FTD |
This module monitors the state of critical processes, their resource consumption, and the restart counts. |
||
Deployed Configuration Statistics |
FTD |
This module monitors statistics about the deployed configuration, such as the number of ACEs and IPS rules. |
||
Disk Status |
CDO and FTD |
This module examines performance of the hard disk, and malware storage pack (if installed) on the appliance. This module generates a Warning (yellow) health alert when the hard disk and RAID controller (if installed) are in danger of failing, or if an additional hard drive is installed that is not a malware storage pack. This module generates an Alert (red) health alert when an installed malware storage pack cannot be detected. |
||
Disk Usage |
CDO and FTD |
This module compares disk usage on the appliance’s hard drive and malware storage pack to the limits configured for the module and alerts when usage exceeds the percentages configured for the module. This module also alerts when the system excessively deletes files in monitored disk usage categories, or when disk usage excluding those categories reaches excessive levels, based on module thresholds. See Disk Usage and Drain of Events Health Monitor Alerts for information about troubleshooting scenarios for Disk Usage alerts. Use the Disk Usage health status module to
monitor disk usage for the
|
||
Event Monitor |
CDO |
This module monitors overall incoming event rate to CDO. |
||
Event Stream Status |
CDO |
This module monitors connections to third-party client applications that use the Event Streamer on the CDO. |
||
CDO Access Configuration Changes |
CDO |
This module monitors access configuration changes made on the CDO directly using the configure network management-data-interface command. |
||
CDO HA Status |
CDO |
This module monitors and alerts on the high availability status of the CDO. If you have not established CDO high availability, the HA Status is Not in HA.
|
||
FTD HA (Split-brain check) |
FTD |
This module monitors and alerts on the high availability status of the FTD and provides a health alert for a split brain scenario. If you have not established FTD high availability, the HA Status is Not in HA. |
||
File System Integrity Check |
CDO and FTD |
This module performs a file system integrity check and runs if the system has CC mode or UCAPL mode enabled, or if the system runs an image signed with a DEV key. This module is enabled by default. |
||
Flow Offload Statistics |
FTD |
This module monitors hardware flow offload statistics for a managed device. |
||
Hardware Alarms |
FTD |
This module determines if hardware needs to be replaced on a physical managed device and alerts based on the hardware status. The module also reports on the status of hardware-related daemons. |
||
Health Monitor Process |
Any |
This module monitors the status of the health monitor itself and alerts if the number of minutes since the last health event received by the CDO exceeds the Warning or Critical limits. |
||
Discovery Host Limit |
CDO |
This module determines if the number of hosts the CDO can monitor is approaching the limit and alerts based on the warning level configured for the module. For more information, see Host Limit. |
||
ISE Connection Monitor |
CDO |
This module monitors the status of the server connections between the Cisco Identity Services Engine (ISE) and the CDO. ISE provides additional user data, device type data, device location data, SGTs (Security Group Tags), and SXP (Security Exchange Protocol) services. |
||
Inline Link Mismatch Alarms |
Any managed device |
This module monitors the ports associated with inline sets and alerts if the two interfaces of an inline pair negotiate different speeds. |
||
Interface Status |
Any |
This module determines if the device currently collects traffic and alerts based on the traffic status of physical interfaces and aggregate interfaces. For physical interfaces, the information includes interface name, link state, and bandwidth. For aggregate interfaces, the information includes interface name, number of active links, and total aggregate bandwidth. |
||
Intrusion and File Event Rate |
Any managed device |
This module compares the number of intrusion events per second to the limits configured for this module and alerts if the limits are exceeded. If the Intrusion and File Event Rate is zero, the intrusion process may be down or the managed device may not be sending events. Select to check if events are being received from the device. Typically, the event rate for a network
segment averages 20 events per second. For a network segment
with this average rate, Events per second (Critical) should be
set to
The maximum number of events you can set for either limit is 999, and the Critical limit must be higher than the Warning limit. |
||
License Monitor |
CDO |
This module monitors license expiration. |
||
Link State Propagation |
ISA 3000 |
This module determines when a link in a paired inline set fails and triggers the link state propagation mode. If a link state propagates to the pair, the status classification for that module changes to Critical and the state reads:
where |
||
Local Malware Analysis |
CDO and FTD |
This module monitors ClamAV updates for Local Malware Analysis. |
||
Memory Usage |
Any |
This module compares memory usage on the appliance to the limits configured for the module and alerts when usage exceeds the levels configured for the module. For appliances with more than 4 GB of
memory, the preset alert thresholds are based on a formula that
accounts for proportions of available memory likely to cause
system problems. On >4 GB appliances, because the interval
between Warning and Critical thresholds may be very narrow,
Cisco recommends that you manually set the Warning Threshold % value
to Beginning with Version 6.6.0, the minimum required RAM for FMCv upgrades to Version 6.6.0+ is 28 GB, and the recommended RAM for FMCv deployments is 32 GB. We recommend you do not decrease the default settings: 32 GB RAM for most FMCv instances, 64 GB for the FMCv 300 (VMware only).
Complex access control policies and rules can command significant resources and negatively affect performance. |
||
Memory Usage Data Plane |
FTD |
This module checks the percentage of
allocated memory used by the Data Plane processes and alerts
when memory usage exceeds the percentages configured for the
module. The Warning Threshold
% default value is |
||
Memory Usage Snort |
FTD |
This module checks the percentage of
allocated memory used by the Snort process and alerts when
memory usage exceeds the percentages configured for the module.
The Warning Threshold
% default value is |
||
MySQL Statistics |
CDO |
This module monitors the status of the MySQL database, including the database size, number of active connections, and memory use. Disabled by default. |
||
NTP Statistics |
FTD |
This module monitors the NTP clock synchronization status of the managed device. Disabled by default. |
||
Firepower Platform Faults |
FTD |
This module generates an alert for platforms faults for Firepower 1000, 2100, and 3000 series devices, a fault is a mutable object that is managed by the CDO. Each fault represents a failure in the Firepower 1000, 2100, and 3000 instance or an alarm threshold that has been raised. During the lifecycle of a fault, it can change from one state or severity to another. Each fault includes information about the operational state of the affected object at the time the fault was raised. If the fault is transitional and the failure is resolved, then the object transitions to a functional state. For more information, see the Cisco Firepower 1000/2100 FXOS Faults and Error Messages Guide. |
||
Power Supply |
Physical CDOs |
This module determines if power supplies on the device require replacement and alerts based on the power supply status. |
||
Process Status |
Any |
This module determines if processes on the appliance exit or terminate outside of the process manager. If a process is deliberately exited outside of the process manager, the module status changes to Warning and the health event message indicates which process exited, until the module runs again and the process has restarted. If a process terminates abnormally or crashes outside of the process manager, the module status changes to Critical and the health event message indicates the terminated process, until the module runs again and the process has restarted. |
||
RRD Server Process |
CDO |
This module determines if the round robin data server that stores time series data is running properly. The module will alert If the RRD server has restarted since the last time it updated; it will enter Critical or Warning status if the number of consecutive updates with an RRD server restart reaches the numbers specified in the module configuration. |
||
RabbitMQ Status |
CDO |
This module collects various statistics for RabbitMQ. |
||
Realm |
Any managed device |
Enables you to set a warning threshold for realm or user mismatches, which are:
For more information, see Detect Realm or User Mismatches. |
||
Snort Reconfiguring Detection |
Any managed device |
This module alerts if a device reconfiguration has failed. |
||
Routing Statistics |
FTD |
This module monitors the current state of routing table. |
||
SSE Connection Status |
FTD |
The module alerts if the FTD cannot connect to the SSE cloud after an initial successful connection. Disabled by default. |
||
Security Intelligence |
CDO |
This module alerts if Security Intelligence is in use and the CDO cannot update a feed, or feed data is corrupt or contains no recognizable IP addresses. See also the Threat Data Updates on Devices module. |
||
Snort Identity Memory Usage |
FTD |
Enables you to set a warning threshold for Snort identity
processing and alerts when memory usage exceeds the level
configured for the module. The Critical Threshold % default value is This health module specifically keeps track of the total space used for the user identity information in Snort. It displays the current memory usage details, the total number of user-to-IP bindings, and user-group mapping details. Snort records these details in a file. If the memory usage file is not available, the Health Alert for this module displays Waiting for data. This could happen during a Snort restart due to a new install or a major update, switch from Snort2 to Snort3 or back, or major policy deployment. Depending on the health monitoring cycle, and when the file is available, the warning disappears, and the health monitor displays the details for this module with its status turned Green. |
||
Snort Statistics |
FTD |
This module monitors the Snort statistics for events, flows, and packets. |
||
Snort3 Statistics |
FTD |
This module collects and monitors the Snort3 statistics for events, flows, and packets. |
||
Smart License Monitor |
CDO |
This module monitors Smart Licensing status. |
||
Sybase Statistics |
CDO |
This module monitors the status of the Sybase database on the CDO, including the database size, number of active connections, and memory use. |
||
Threat Data Updates on Devices |
Any |
Certain intelligence data and configurations that devices use to detect threats are updated on the CDO from the cloud every 30 minutes. This module alerts you if this information has not been updated on the devices within the time period you have specified. Monitored updates include:
By default, this module sends a warning after 1 hour and a critical alert after 24 hours. If this module indicates failure on the CDO or on any devices, verify that the CDO can reach the devices. |
||
Time Series Data (RRD) Monitor |
CDO |
This module tracks the presence of corrupt files in the directory where time series data (such as correlation event counts) are stored and alerts when files are flagged as corrupt and removed. |
||
Time Synchronization Status |
CDO |
This module tracks the synchronization of a device clock that obtains time using NTP with the clock on the NTP server and alerts if the difference in the clocks is more than ten seconds. |
||
URL Filtering Monitor |
CDO |
This module alerts if the CDO fails to:
You can configure time thresholds for these alerts. See also the Threat Data Updates on Devices module. |
||
Unresolved Groups Monitor |
CDO |
Monitors unresolved groups used in policies. |
||
VPN Statistics |
CDO |
This module monitors Site to Site and RA VPN tunnels between Firepower devices. |
||
VPN Status |
CDO |
This module alerts when one or more VPN tunnels between Firepower devices are down. This module tracks:
|
||
XTLS Counters |
FTD |
This module monitors XTLS/SSL flows, memory and cache effectiveness. Disabled by default. |