Cisco Cisco Firepower Management Center 4000
20-17
FireSIGHT System User Guide
Chapter 20 Configuring Intrusion Policies
Understanding the Base Policy
This policy is built for both speed and detection. It serves as a good starting point for most
organizations. It is also a good starting point for any type of deployment.
organizations. It is also a good starting point for any type of deployment.
•
Connectivity Over Security
This policy is built for organizations where connectivity (being able to get to all resources) takes
precedence over network infrastructure security. This policy enables far fewer rules than those
enabled in the Security over Connectivity policy. Only the most critical rules that block traffic are
enabled.
precedence over network infrastructure security. This policy enables far fewer rules than those
enabled in the Security over Connectivity policy. Only the most critical rules that block traffic are
enabled.
•
No Rules Active
All intrusion rules, preprocessors, and other configurable intrusion policy features in this policy are
disabled by default. This policy provides a starting point if you want to create your own policy
instead of basing it on the enabled rules and features in one of the other policies provided by Cisco.
The system automatically enables any preprocessor required by rules you enable.
disabled by default. This policy provides a starting point if you want to create your own policy
instead of basing it on the enabled rules and features in one of the other policies provided by Cisco.
The system automatically enables any preprocessor required by rules you enable.
Note that all rules and most preprocessors and other advanced features are disabled in this policy.
•
Security Over Connectivity
This policy is built for organizations where network infrastructure security takes precedence over
user convenience. This policy enables numerous network anomaly rules that could alert on or drop
legitimate traffic.
user convenience. This policy enables numerous network anomaly rules that could alert on or drop
legitimate traffic.
You can use copies of Cisco default policies or create your own policies with tuned rule sets and
advanced settings configurations to inspect traffic in the way that matters most to you. By doing this,
you can improve both the performance of your managed device and your ability to respond effectively
to the events it generates.
advanced settings configurations to inspect traffic in the way that matters most to you. By doing this,
you can improve both the performance of your managed device and your ability to respond effectively
to the events it generates.
Note that the following initial policies, which come with your system, are custom policies provided by
Cisco; they are not default policies:
Cisco; they are not default policies:
•
Initial Inline Policy
•
Initial Passive Policy
Each of these custom policies uses a default policy as its base policy.
Using a Custom Base Policy
License:
Protection
Custom policies include policies you create and the following two initial policies that come with your
system:
system:
•
Initial Inline Policy
•
Initial Passive Policy
You can use a custom policy as your base policy. Changes that you make to rules and advanced settings
in a custom policy are automatically included in your base policy when you commit, that is, save changes
in, the custom policy. However, you can override a default setting by modifying it in the policy that uses
the custom policy as its base policy.
in a custom policy are automatically included in your base policy when you commit, that is, save changes
in, the custom policy. However, you can override a default setting by modifying it in the policy that uses
the custom policy as its base policy.
You can chain up to five custom policies, with four of the five using one of the other four previously
created policies as its base policy; the fifth uses a default intrusion policy as its base policy.
created policies as its base policy; the fifth uses a default intrusion policy as its base policy.
In a custom base policy, you do not have the option of allowing rule updates to modify the base policy.
However, in some cases importing a rule update may impact the custom base policy when the parent
policy, that is, the original policy that you use as your custom base policy, allows rule updates to modify
its base policy. See
However, in some cases importing a rule update may impact the custom base policy when the parent
policy, that is, the original policy that you use as your custom base policy, allows rule updates to modify
its base policy. See
for more information.