Cisco Cisco Firepower Management Center 4000
53-20
FireSIGHT System User Guide
Chapter 53 Updating System Software
Importing Rule Updates and Local Rule Files
•
You can reinstate a local rule that you have deleted by importing the rule using the SID assigned by
the system and a revision number greater than the current revision number. Note that the system
automatically increments the revision number when you delete a local rule; this is a device that
allows you to reinstate local rules.
the system and a revision number greater than the current revision number. Note that the system
automatically increments the revision number when you delete a local rule; this is a device that
allows you to reinstate local rules.
To view the revision number for a deleted local rule, display the Rule Editor page (
Policies > Intrusion
> Rule Editor
), click on the deleted rule category to expand the folder, then click
Edit
next to the rule.
•
You cannot import a rule file that includes a rule with a SID greater than 2147483647; the import
will fail.
will fail.
•
If you import a rule that includes a list of source or destination ports that is longer than 64 characters,
the import will fail.
the import will fail.
•
The system always sets local rules that you import to the disabled rule state; you must manually set
the state of local rules before you can use them in your intrusion policy. See
the state of local rules before you can use them in your intrusion policy. See
for more information.
•
You must make sure that the rules in the file do not contain any escape characters.
•
The rules importer requires that all custom rules are imported in ASCII or UTF-8 encoding.
•
All imported local rules are automatically saved in the local rule category.
•
All deleted local rules are moved from the local rule category to the deleted rule category.
•
The system imports local rules preceded with a single pound character (#).
•
The system ignores local rules preceded with two pound characters (##) and does not import them.
•
Cisco strongly recommends that you import local rules on the primary Defense Center in a High
Availability Pair to avoid SID numbering issues.
Availability Pair to avoid SID numbering issues.
•
Policy validation fails if you enable an imported local rule that uses the deprecated
threshold
keyword in combination with the intrusion event thresholding feature in an intrusion policy. See
for more information.
To import local rule files:
Access:
Admin
Step 1
Select
Policies > Intrusion > Rule Editor
.
The Rule Editor page appears.
Step 2
Click
Import Rules
.
The Import Rules page appears.
Tip
You can also select
System > Updates
, then select the
Rule Updates
tab.
Step 3
Select
Rule Update or text rule file to upload and install
and click
Browse
to navigate to the rule file. Note that
all rules uploaded in this manner are saved in the local rule category.
Step 4
Click
Import
.
The rule file is imported. Make sure you enable the appropriate rules in your intrusion policies. The rules
are not activated until the next time you apply the affected policies.
are not activated until the next time you apply the affected policies.