Remediation API

The Firepower System® remediation API allows you to create remediations that your Firepower Management Center can automatically launch when conditions on your network violate the associated correlation policy. A remediation is the response your software program executes to mitigate the detected condition. For example, you can block traffic at a router on the source or destination IP address, or initiate a host Nmap scan to assess the host status. If multiple rules in a policy trigger, the Firepower Management Center can launch responses for each rule. A remediation module is the package of files you install on the Firepower Management Center to perform the response. A remediation module can incorporate several remediation types as shown in the graphic below.

For example, one of the system-provided remediation modules, the Cisco PIX router module, performs two remediation types: it either blocks packets by source IP address or blocks them by destination IP address.

If a remediation module targets multiple devices on your network (routers, hosts, and so forth), you configure your remediation module to perform multiple instances, one per device, when the correlation policy triggers. An instance is an instantiation of the remediation module, with one or more remediation types that correspond to functions in the remediation module code, and with a set of variables needed to run on the target device. For each instance, you specify the remediation type or types it executes and the instance-specific information such as the device’s IP address and password for the remediation to access the target device on your network.

Firepower Management Center