Cisco Cisco Firepower Management Center 4000
20-3
FireSIGHT System User Guide
Chapter 20 Configuring Intrusion Policies
Managing Intrusion Policies
3.
Define your security policies.
Security policies include your internal security guidelines, as well as your variable, preprocessor,
and rules configurations. You should:
and rules configurations. You should:
–
Define the security guidelines that govern the hosts on that subnet.
Your internal security policies guide how you tune the decoder engine, preprocessor engine, and
rules engine. For example, if your security policies prohibit instant messaging, you may want
to identify instant message traffic traversing your network.
rules engine. For example, if your security policies prohibit instant messaging, you may want
to identify instant message traffic traversing your network.
–
Optionally, configure your preprocessors, enabling and disabling options as appropriate.
For more information on the preprocessors provided in FireSIGHT System, as well as details
on how to configure them, see
on how to configure them, see
–
Define your variables to accurately reflect your home and external networks.
Defining variables makes rule inspection more effective and efficient by directing rules to
inspect the traffic to and from specific IP addresses and ports. Defining these in the default
variable set or in custom sets allows you to tune your policy or system without editing every
rule. Variables can also be used when suppressing rules and configuring the advanced adaptive
profiles feature. For details on managing variables, see
inspect the traffic to and from specific IP addresses and ports. Defining these in the default
variable set or in custom sets allows you to tune your policy or system without editing every
rule. Variables can also be used when suppressing rules and configuring the advanced adaptive
profiles feature. For details on managing variables, see
.
–
Disable shared object rules and standard text rules that do not apply to your environment and
verify that all rules that do apply to your environment are enabled. For inline deployments,
carefully choose the intrusion rules that you want to drop packets rather than simply generate
events. For more information on setting rule states, see
verify that all rules that do apply to your environment are enabled. For inline deployments,
carefully choose the intrusion rules that you want to drop packets rather than simply generate
events. For more information on setting rule states, see
4.
If none of the existing intrusion rules meet your needs, write new rules that inspect for intrusion
attempts.
attempts.
For information on the rule keywords you can use to construct custom standard text rules, and their
syntax, see
syntax, see
5.
Test your configuration.
Managing Intrusion Policies
License:
Protection
On the Intrusion Policy page (
Policies> Intrusion > Intrusion Policy
) you can view all your current intrusion
policies by name with optional description along with the following information:
•
the time and date the policy was last modified and the user who modified it.
•
whether dropping packets in an inline deployment is enabled in the policy
•
when a policy has unsaved changes, in italicized black text
Options on this page also allow you to create a new policy, compare two policies or two revisions of the
same policy, view a report that lists all of the most recently saved settings in each policy, and edit, delete,
or export a policy.
same policy, view a report that lists all of the most recently saved settings in each policy, and edit, delete,
or export a policy.
Tip
You can import intrusion policies from other Defense Centers in your deployment. See
for more information.
Note that the Intrusion Policy page displays the time a policy was last modified in local time, but
intrusion policy reports list the time the policy was last modified in Coordinated Universal Time (UTC).
intrusion policy reports list the time the policy was last modified in Coordinated Universal Time (UTC).