About AIOps Insights

Firewalls are a critical component of any organization's network security architecture. However, as organizations expand and the threat landscape evolves, managing these firewalls becomes complex. Staying updated with the continuous changes and rules to adapt to new threats, network changes, and compliance requirements presents significant challenges. Improper management can lead to security gaps and vulnerabilities, posing risks to an organization's network security.

To effectively address these challenges, a new approach to firewall management is required. This is where AIOps becomes essential.

AIOps for firewalls leverages artificial intelligence (AI) and machine learning (ML) to streamline and enhance the management and security of network firewalls. By using dynamic baselines and advanced forecasting models, AIOps can detect policy anomalies and predict potential issues before they escalate, ensuring proactive maintenance and stability.

Currently, the AIOps features are available only for Firewall Threat Defense devices that are managed by Cloud-Delivered Firewall Management Center.

AIOps' key functionalities include:

Real-Time Traffic and Capacity Monitoring: Monitors network traffic and system capacity in real-time, and detects anomalies such as elephant flows, ensuring that resources are optimized for peak performance.
Policy Anomaly Detection: Analyzes firewall policies, and detects misconfigurations or anomalies before they impact performance or security.
Feature Adoption Insights and Best Practice Recommendations: Provides insights into the level of feature adoption and suggests best practices to optimize security configurations.
Predictive Forecasting for Network Issues: Predicts potential future network issues, allowing you to address them proactively and minimize downtime.
Critical Alerts: Filters and prioritizes the most urgent security events helping you focus on critical issues.

AIOps' key features include:

Summary Insights: Provides detailed information on all insights and insights trend. You can view a list of all the anomalies that are categorized by Severity and Type.
Policy Analyzer and Optimizer: Analyzes security policies, detects anomalies, and provides recommendations on remediations that can be performed to optimize the policies, thereby improving the firewall performance.
Best Practices and Recommendations: Generates detailed assessment reports that highlight failed checks against Cisco Secure Firewall best practices and provides actionable recommendations to resolve issues, ensuring optimal firewall performance.
Feature Adoption: Provides insights into the features that are adopted and the percentage of adoption to modify the usage pattern and achieve optimal security. By analyzing the adoption rate of different features, you can take decisions on how to improve the usage pattern and enhance security measures.
Configuration Settings: Provides the ability to configure thresholds for AIOps features and enable or disable insight preferences. You can customize these settings to suit your specific needs.

Insight Statuses and Transitions

The table below outlines the possible insight statuses, their descriptions, transitions, and examples.

Status	Description	Transition	Triggered by	Example
Active	An issue is detected and ongoing. This is the initial state when an issue is identified.	–	System	High data plane CPU usage. High data plane memory usage.
Resolved	AIOps automatically marks an active insight as resolved when the issue no longer exists. Historical details are available for reference.	Traffic and capacity insights Active to Resolved: Automatically when the condition resolves. Configuration Insights Active to Resolved: After you fix the issue and the system confirms it in the next check.	Automatically by the system for performance and traffic issues. By the user (with system confirmation) for configuration issues.	Performance: CPU usage returns to normal after traffic drops. Configuration: Overlapping firewall rules corrected by the user.
Not Applicable (NA)	The issue existed earlier but it is no longer present. No historical data is available for reference.	Active to Not Applicable	System	When an Access Control policy is deleted, the corresponding insight is marked as NA. When a device is deleted from FMC inventory, all insights for that device are marked as NA. When earlier Policy Analyzer and Optimizer results showed issues but a recheck finds zero issues and no details to display, the insight is marked as NA.

Status

Description

Transition

Triggered by

Example

Active

An issue is detected and ongoing.
This is the initial state when an issue is identified.

–

System

High data plane CPU usage.
High data plane memory usage.

Resolved

AIOps automatically marks an active insight as resolved when the issue no longer exists.
Historical details are available for reference.

Traffic and capacity insights

Active to Resolved: Automatically when the condition resolves.
Configuration Insights

Active to Resolved: After you fix the issue and the system confirms it in the next check.

Automatically by the system for performance and traffic issues.
By the user (with system confirmation) for configuration issues.

Performance: CPU usage returns to normal after traffic drops.
Configuration: Overlapping firewall rules corrected by the user.

Not Applicable (NA)

The issue existed earlier but it is no longer present.
No historical data is available for reference.

Active to Not Applicable

System

When an Access Control policy is deleted, the corresponding insight is marked as NA.
When a device is deleted from FMC inventory, all insights for that device are marked as NA.
When earlier Policy Analyzer and Optimizer results showed issues but a recheck finds zero issues and no details to display, the insight is marked as NA.

Previous topic Introduction to AIOps Insights Next topic AIOps Licensing Requirements