Cisco Cisco Firepower Management Center 2000

Save your policy, continue editing, discard your changes, or exit while leaving your changes in the 
system cache. See the 

 table for more information.

Protection

The Cisco Vulnerability Research Team (VRT) sets the default state of each intrusion and preprocessor 
rule in each default policy. For example, a rule may be enabled in the Security over Connectivity default 
policy and disabled in the Connectivity over Security default policy. Intrusion policy rules you create 
inherit the default states of the rules in the default policy you use to create your policy.

You can set a rule to Generate Events, to Drop and Generate Events, or to Disable individually, or you 
can filter the rules by a variety of factors to select the rules for which you want to modify the state. In 
an inline deployment, you can use the Drop and Generate Events rule state in inline intrusion 
deployments to drop malicious packets. Note that rules with the Drop and Generate Events rule state 
generate events but do not drop packets in a passive deployment, including when a 3D9900 or Series 3 
device inline interface set is in tap mode. Setting a rule to Generate Events or to Drop and Generate 
Events enables the rule; setting the rule to Disable disables it.

Consider two scenarios. In the first scenario, the rule state for a specific rule is set to Generate Events. 
When a malicious packet crosses your network and triggers the rule, the packet is sent to its destination 
and the system generates an intrusion event. In the second scenario, assume that the rule state for the 
same rule is set to Drop and Generate Events in an inline deployment. In this case, when the malicious 
packet crosses the network, the system drops the malicious packet and generates an intrusion event. The 
packet never reaches its target. 

In an intrusion policy, you can set a rule’s state to one of the following settings:

Set the rule state to 

if you want the system to detect a specific intrusion attempt and 

generate an intrusion event when it finds matching traffic.

Set the rule state to 

if you want the system to detect a specific intrusion 

attempt, then drop the packet containing the attack and generate an intrusion event when it finds 
matching traffic in an inline deployment, or to generate an intrusion event when it finds matching 
traffic in a passive deployment, including when a 3D9900 or Series 3 device inline interface set is 
in tap mode.

Note that for the system to drop packets, your intrusion policy must be set to drop rules in an inline 
deployment; see 

 for more information.

Set the rule state to 

 if you do not want the system to evaluate matching traffic.

To use drop rules, you must:

Enable the 

 option in your intrusion policy.

Set the rule state to 

 for any rules that should drop all packets that match the 

rule.

Apply an access control policy that includes an access control rule that is associated with your 
intrusion policy to a managed device that uses an inline set.

Filtering rules on the Rules page can help you find the rules you want to set as drop rules. For more 
information, see 

.

See 

 for information about rule anatomy, rule 

keywords and their options, and rule writing syntax.