Cisco Cisco Firepower Management Center 4000
20-16
FireSIGHT System User Guide
Chapter 20 Configuring Intrusion Policies
Understanding the Base Policy
Step 4
Save your policy, continue editing, discard your changes, or exit while leaving your changes in the
system cache. See the
system cache. See the
table for more information.
Understanding the Base Policy
License:
Protection
The base policy in an intrusion policy defines the default settings for all rules and advanced settings in
the policy. You can use a default policy provided by the Cisco Vulnerability Research Team (VRT) as
your base policy, or you can use a custom policy that you create as your base policy.
the policy. You can use a default policy provided by the Cisco Vulnerability Research Team (VRT) as
your base policy, or you can use a custom policy that you create as your base policy.
Note the following important information regarding base policies:
•
The base policy includes configurations for rules and advanced settings. It does not include
FireSIGHT Recommended Rules.
FireSIGHT Recommended Rules.
•
Modifying a rule or advanced setting in your policy overrides the corresponding default setting in
the base policy.
the base policy.
•
The base policy is the lowest layer in an intrusion policy. For information on using policy layers to
more effectively manage multiple intrusion policies, see
more effectively manage multiple intrusion policies, see
.
•
Depending on your configuration, importing rule updates may modify settings in your base policy.
However, changes that a rule update makes to your base policy do not override changes that you
make to rules or advanced settings in your policy. See
However, changes that a rule update makes to your base policy do not override changes that you
make to rules or advanced settings in your policy. See
for more information.
See the following sections for more information:
•
•
•
•
•
Using Default Intrusion Policies
License:
Protection
Five default intrusion policies are delivered with the FireSIGHT System. You can use four of these
default policies. Cisco uses the fifth, Experimental Policy 1, for testing purposes and you should not use
it unless instructed to do so by a Cisco representative.
default policies. Cisco uses the fifth, Experimental Policy 1, for testing purposes and you should not use
it unless instructed to do so by a Cisco representative.
The Cisco Vulnerability Research Team (VRT) sets the state of each intrusion and preprocessor rule in
each default policy. The VRT also sets the default state, enabled or disabled, of each preprocessor and
of other advanced features, and the default option settings for each. For example, a rule might be enabled
in the Security over Connectivity default policy and disabled in the Connectivity over Security default
policy. Intrusion protection features in an intrusion policy you create inherit the default settings in a
default policy that you use to create your policy. By using the policies provided by Cisco as a basis for
your intrusion policy, you can take advantage of the experience of the VRT.
each default policy. The VRT also sets the default state, enabled or disabled, of each preprocessor and
of other advanced features, and the default option settings for each. For example, a rule might be enabled
in the Security over Connectivity default policy and disabled in the Connectivity over Security default
policy. Intrusion protection features in an intrusion policy you create inherit the default settings in a
default policy that you use to create your policy. By using the policies provided by Cisco as a basis for
your intrusion policy, you can take advantage of the experience of the VRT.
The default intrusion policies that you can use are:
•
Balanced Security and Connectivity