Cisco Cisco Firepower Management Center 4000

C H A P T E R

20-1

FireSIGHT System User Guide

Configuring Intrusion Policies

An intrusion policy is a defined set of intrusion detection and prevention configurations. You can create
an intrusion policy using the settings in the default intrusion policies that Cisco provides, or you can
tailor your own policies to inspect the traffic that traverses your network. You can modify your intrusion
policy to improve performance in your environment and to provide a focused view of the traffic on your
network.

At a minimum, you consciously choose whether to configure the following settings:

•

Specify whether you want to drop packets that trigger rules set to Drop and Generate events in an
inline deployment. See

Setting Drop Behavior in an Inline Deployment, page 20-14

for more

information.

•

Set variables to accurately reflect your home and external networks and, as appropriate, the servers
on your network. See

Working with Variable Sets, page 5-16

for more information.

You should also consider whether to take advantage of the following capabilities, which can improve
performance and better focus your network:

•

Disable rules that do not apply to your environment, verify that all rules that do apply to your
environment are enabled, and set rule attributes such as suppression, thresholding, and alerting. See

Setting Rule States, page 21-20

for more information.

•

Associate hosts and applications on your network with rules written to protect those hosts and
applications and recommend rule state changes. See

Managing FireSIGHT Rule State

Recommendations, page 21-34

for more information.

See the following sections for more information:

•

Planning and Implementing an Intrusion Policy, page 20-2

describes, at a high level, the process you

use to create an intrusion policy.