Cisco Cisco Firepower Management Center 4000

The event type is always 

 for packets seen while the system is pruning, regardless of 

deployment.

The following table summarizes drop rule behavior in passive and inline deployments.

Note that setting what is called a pass rule to Generate Events has a different effect. For information, see 

Note also that your inline intrusion policies can include rules that use the 

replace

 keyword. For 

information, see 

.

Admin/Intrusion Admin

Select 

.

The Intrusion Policy page appears.

Click the edit icon (

) next to the policy you want to edit.

If you have unsaved changes in another policy, click 

 to discard those changes and continue. See 

 for information on saving unsaved changes in another 

policy.

The Policy Information page appears.

Specify whether you want the system to drop the packet and generate an event when the packet triggers 
a rule set to Drop and Generate Events in an inline deployment:

To drop the packet and generate an event, select the 

 check box.

To generate an event but not drop the packet, clear the 

 check box.

Note that the system does not drop packets in a passive deployment, including when an inline interface 
is in tap mode, regardless of the rule state or the inline drop behavior of the intrusion policy. For more 
information, see 

, 

, and 

On 3D9900 and Series 3 devices, an inline set can use tap mode, which allows you to passively monitor 
traffic.

inline

enabled

dropped

Dropped

inline

disabled

not dropped

Would have dropped

inline (tap mode)

enabled

not dropped

Would have dropped

inline (tap mode)

disabled

not dropped

Would have dropped

passive

enabled

not dropped

Would have dropped

passive

disabled

not dropped

Would have dropped