Cisco Cisco Firepower Management Center 4000

the maximum duration of the connection tracker, that is, the time period during which the conditions 
you specify must be met to generate a correlation event

You can add a connection tracker to a simple correlation rule that requires only that any connection, 
intrusion, discovery, user identity, or host input event occurs.

Admin/Discovery Admin

On the Create Rule page, click 

.

The Connection Tracker section appears.

To remove a connection tracker, click 

.

Specify which connections you want to track by setting connection tracker criteria.

You can set connection tracker criteria by creating a single, simple condition, or you can create more 
elaborate constructs by combining and nesting conditions. 

See 

 for information on how to use the web 

interface to build conditions. The syntax you can use to build connection tracker conditions is described 
in 

Based on the connections you decided to track in step 

, describe when you want to generate a 

correlation event.

You can create a single, simple condition that describes when you want to generate an event, or you can 
create more elaborate constructs by combining and nesting conditions.

You must also specify the interval (in seconds, minutes, or hours) during which the conditions you 
specify must be met to generate a correlation event.

See 

 for information on how to use the web 

interface to build conditions. The syntax you can use to build connection tracker conditions is described 
in 

.

Optionally, continue with the procedures in the following sections:

If you are finished building the correlation rule, continue with step 

 of the procedure in 

 to save the rule.

Any

The 

 table describes how to build a connection tracker condition that 

specifies the kind of connections you want to track.