Cisco Cisco Firepower Management Center 2000

To compare two revisions of the same policy, select 

.

Remember to commit any changes before you generate an intrusion policy report; only committed 
changes appear in the report.

Depending on the comparison type you selected, you have the following choices:

If you are comparing two different policies, select the policies you want to compare from the 

and 

drop-down lists.

If you are comparing two revisions of the same policy, select the policy from the 

 drop-down 

list, then select the revisions you want to compare from the 

and 

drop-down lists.

Click

 to display the intrusion policy comparison view.

The comparison view appears.

Click 

to generate the intrusion policy comparison report. 

The intrusion policy report appears. Depending on your browser settings, the report may appear in a 
pop-up window, or you may be prompted to save the report to your computer.

Protection

A drop rule is an intrusion rule or preprocessor rule whose rule state is set to Drop and Generate Events. 
You can use the 

 option in your intrusion policy to determine how the system handles 

drop rules in an inline deployment; see 

 for information on setting rule 

states in your intrusion policy.

In an inline deployment, you would typically set your intrusion policy to drop packets that trigger drop 
rules. However, you might also set your policy to not drop packets so you can assess how your 
configuration functions on your network. In this case, the system would generate events but would not 
drop packets that trigger your drop rules. When you are satisfied with the results, you can set your policy 
to drop packets; then you can reapply the access control policy that includes your policy.

When you set your intrusion policy to drop packets in an inline deployment, the system drops packets 
that trigger enabled drop rules and generates events for the triggered rules.

For an access control policy using a file policy with 

 rules for FTP, if you set the default 

action to an intrusion policy with 

 disabled, the system generates events for detected files 

or malware matching the rules, but does not drop the files. To block FTP fire transfers while using an 
intrusion policy as the default action for the access control policy where you select the file policy you 
must select an intrusion policy with 

 enabled.

Note that in a passive deployment, including when an inline interface is in tap mode, the system treats 
rules set to Drop and Generate Events the same as rules set to Generate Events; that is, the system 
generates events but does not drop packets that trigger the rules regardless of the drop behavior of your 
policy. See 

 for more information.

Note also that the table view of intrusion events indicates when packets are dropped if 

 

is enabled in an inline deployment, and when packets would have dropped if 

 is disabled. 

In a passive deployment, including when an inline interface is in tap mode, the table view of intrusion 
events always shows that drop rules would have dropped packets in a inline deployment, regardless of 
the setting for 

. See 

 for more information.