When it comes to security, the word blacklist is always tied to something bad. However, this is not the case when we deal with health policies in Cisco FMC. FMC offers a nice feature called health monitor blacklist. This feature allows us to suppress the health alerts related to one or more FTD appliances.
Not only, the health monitor blacklist feature allows even more. It allows us to narrow down the alerts suppression up to a specific module or more modules. This is called partial blacklist.
Why we would need this?!, well, think about a situation where you have an FTD appliance that will go under a maintenance window in which we know that is going to trigger a bunch of monitor alerts on the FMC. Or, maybe we know that there is one or more health alerts that are being generated by the FMC, but we are not interested in seeing them.
One thing to keep in mind is that although the FMC will suppress the alerts, they would still be generated behind the scenes. The only thing is that they will be deemed as disabled. Hence, they won't show up in the health monitor alerts.
This will still be the case even when we un-blacklist the interested FTD appliance. Which means that we won't see those alerts that have been generated during the time we balcklisted our FTD. However, any new alerts that will be generated after we un-blacklist our FTD will show up as normal.
In our lab, we have an FMC that is managing multiple FTD appliances. All the FTD appliances we have in our lab are currently generating health alerts about not receiving traffic on their external interfaces.
This post will demonstrate how to blacklist all the FTDv-01 appliance alerts, and also how to blacklist only the interfaces status alerts of the FTDv-03 appliance. Let's get started.
Current Alerts Situation
All the FTD appliances are triggering FMC interface status health alerts. That is because they are not receiving any traffic right now on their external interfaces.
Blacklist All FTDv-01 Appliance Alerts
Go to the Cog icon > Health > Blacklist
Select FTDv-01 appliance and click Blacklist Selected Devices
Check how the health monitor of FTDv-01 now is marked as disabled/blacklisted
Not sure why it shows 37 modules as blacklisted, but on the below list there are actually 38 modules. If you have any idea please share it in the post comments below.
Let's now check if FTDv-01 appliance health monitor alerts are still showing up
After the FMC health check new life cycle kicked in we don't see the FTDv-01 health alerts anymore.
Blacklist Interface Status alerts on FTDv-03 appliance
Go to the Cog icon > Health > Blacklist and click the pencil icon to edit the health policy
Select the Interface Status module from the list and click Save
As you can see, now the FTDv-03 appliance shows as partially blacklisted. Unlike FTDv-01, FTDv-03 health monitor will not show up as disabled, instead it will show up in green. However, if any of the other modules health check should fail, FTDv-03 health status will change to red.
As shown in the above screenshot, we only see one module that has been blacklisted, which is the Interface Status module we suppressed.
Similar to FTDv-01, when the new health check life cycle kicked in the FTDv-03 interface status health alerts got disappeared.
Un-Blacklist FTDv-01 and FTDv-03 Appliances' Alerts
Go to the Cog icon > Health > Blacklist, select the FTDv-01 and FTDv-03 appliances and click Clear Blacklist on Selected Devices
After a few minutes we can see both FTDv-01 and FTDv-03 appliances have been cleared from being blacklisted.
As we've cleared the FTDv-01 and FTDv-03 appliances from being blacklisted, now we see again the health alerts generated by the FMC.
This wraps up this post about how to use FMC health monitor blacklist feature.
Thank you for reading!
