Cisco Cisco Firepower Management Center 2000
20-5
FireSIGHT System User Guide
Chapter 20 Configuring Intrusion Policies
Managing Intrusion Policies
Creating an Intrusion Policy
License:
Protection
You can create one or more intrusion policies. For example, you can create policies that monitor traffic
on your network. You can also create policies that you use for testing in a safe network environment, or
for familiarizing yourself with features such as FireSIGHT Recommended Rules or the different default
policies provided by Cisco.
on your network. You can also create policies that you use for testing in a safe network environment, or
for familiarizing yourself with features such as FireSIGHT Recommended Rules or the different default
policies provided by Cisco.
When you create a policy, a pop-up window provides immediate access to the features you are most
likely to configure. You can create your intrusion policy using only the options in the pop-up window,
or you can save your changes and continue to the advanced intrusion policy editor, where you can
configure any intrusion policy features.
likely to configure. You can create your intrusion policy using only the options in the pop-up window,
or you can save your changes and continue to the advanced intrusion policy editor, where you can
configure any intrusion policy features.
Tip
You can import intrusion policies from other Defense Centers in your deployment. See
for more information.
To create an intrusion policy:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy
.
The Intrusion Policy page appears.
Step 2
Click
Create Policy
.
If you have unsaved changes in another policy, click
Cancel
when prompted to return to the Intrusion
Policy page. See
for information on saving unsaved
changes in another policy.
The Create Intrusion Policy pop-up window appears.
Step 3
Type a unique name of 50 characters or less that identifies your policy and, optionally, a description that
differentiates it from other policies.
differentiates it from other policies.
Step 4
Specify whether you want the system to drop the packet and generate an event when a packet triggers a
rule set to Drop and Generate Events in an inline deployment:
rule set to Drop and Generate Events in an inline deployment:
•
To drop the packet and generate an event, select the
Drop when Inline
check box.
•
To generate an event but not drop the packet, clear the
Drop when Inline
check box.
Note that the system does not drop packets in a passive deployment, including when an inline interface
is in tap mode, regardless of the rule state or the inline drop behavior of the intrusion policy. For more
information, see
is in tap mode, regardless of the rule state or the inline drop behavior of the intrusion policy. For more
information, see
,
, and
Step 5
Optionally, select a different Cisco default or custom policy that you want to use as the base policy for
your intrusion policy from the
your intrusion policy from the
Base Policy
drop-down list. See
for more information.
Step 6
You have the following options:
•
To exit the pop-up window without creating a policy, click
Cancel
.
The Intrusion Policy page appears.
•
To save your changes, click
Create Policy
.
The Intrusion Policy page appears.