Cisco Cisco Firepower Management Center 4000

Protection

Rule updates that you import provide new and updated intrusion rules and preprocessor rules, modified 
states for existing rules, and modified default intrusion policy settings. Rule updates can also delete rules 
and provide new rule categories and default variables. See 

 for more information.

Rule updates always modify the default policies provided by Cisco with any changes that a rule update 
makes to rules and advanced settings. Changes to default variables and rule categories are handled at the 
system level. See 

 for more information.

When you use a default policy provided by Cisco as your base policy, you can choose whether to allow 
rule updates to modify your base policy.

If you allow rule updates to update your base policy, a new rule update makes the same changes in your 
base policy that it makes to rules and advanced settings in the default policy that you use as your base 
policy. If you have not modified the corresponding setting, the setting in your base policy determines the 
setting in your policy. However, a new rule update will not override any changes you have made in your 
policy. 

If you do not allow rule updates to update your base policy, you can manually update your base policy 
after importing one or more rule updates.

Note that rule updates always delete rules that VRT deletes, regardless of the rule state in your policy or 
whether you allow rule updates to update your base policy. Until you reapply an access control policy 
that includes your policy after a rule update deletes a rule, rules in your currently applied intrusion 
policies will behave as follows:

Disabled rules will remain disabled.

Rules set to Generate Events will continue to generate events when triggered.

Rules set to Drop and Generate Events will continue to generate events and drop offending packets 
when triggered.

Note also that, in a custom base policy, you do not have the option of allowing rule updates to modify 
the base policy, because in this case the base policy is not a default policy provided by Cisco. However, 
a rule update can modify the custom base policy when both of the following conditions are met:

You allow rule updates to modify the base policy of the parent policy, that is, the policy that 
originated the custom base policy.

You have not made changes in the parent policy that override the corresponding settings in the 
parent’s base policy.

When both conditions are met, changes in the rule update are passed to the child policy, that is, the policy 
using the custom base policy, when you save the parent policy.

For example, if a rule update enables a previously disabled rule, and you have not modified the rule’s 
state in the parent policy, the modified rule state will be passed to custom base policy when you save the 
parent policy. See 

 for more information.

Protection