Cisco Cisco Firepower Management Center 4000
21-21
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Setting Rule States
The VRT sometimes uses a rule update to change the default state of one or more rules in a default policy.
If you allow rule updates to update your base policy, you also allow the rule update to change the default
state of a rule in your policy when the default state changes in the default policy you used to create your
policy (or in the default policy it is based on). Note, however, that if you have changed the rule state, the
rule update does not override your change.
If you allow rule updates to update your base policy, you also allow the rule update to change the default
state of a rule in your policy when the default state changes in the default policy you used to create your
policy (or in the default policy it is based on). Note, however, that if you have changed the rule state, the
rule update does not override your change.
To change the rule state for one or more rules:
Access:
Admin/Intrusion Admin
Step 1
Select
Policies > Intrusion > Intrusion Policy.
The Intrusion Policy page appears.
Step 2
Click the edit icon (
) next to the policy you want to edit.
If you have unsaved changes in another policy, click
OK
to discard those changes and continue. See
for information on saving unsaved changes in another
policy.
The Policy Information page appears.
Note that this page indicates the total number of enabled rules, the total number of enabled rules set to
Generate Events, and the total number set to Drop and Generate Events. Note also that in a passive
deployment, rules set to Drop and Generate Events only generate events.
Generate Events, and the total number set to Drop and Generate Events. Note also that in a passive
deployment, rules set to Drop and Generate Events only generate events.
Step 3
Click
Manage Rules
on the Policy Information page.
The Rules page appears. By default, the page lists the rules alphabetically by message.
Step 4
Locate the rule or rules where you want to set the rule state. You have the following options:
•
To sort the current display, click on a column heading or icon. To reverse the sort, click again.
•
Construct a filter by clicking on keywords or arguments in the filter panel on the left. For more
information, see the following topics:
information, see the following topics:
.
The page refreshes to display all matching rules.
Step 5
Select the rule or rules where you want to set the rule state. You have the following options:
•
To select a specific rule, select the check box next to the rule.
•
To select all the rules in the current list, select the check box at the top of the column.
Step 6
You have the following options:
•
To generate events when traffic matches the selected rules, select
Rule State > Generate Events
.
•
To generate events and drop the traffic in inline deployments when traffic matches the selected rules,
select
select
Rule State > Drop and Generate Events
.
•
To not inspect traffic matching the selected rules, select
Rule State > Disable
.
Note
Cisco strongly recommends that you do not enable all the intrusion rules in an intrusion policy.
The performance of your managed device is likely to degrade if all rules are enabled. Instead,
tune your rule set to match your network environment as closely as possible.
The performance of your managed device is likely to degrade if all rules are enabled. Instead,
tune your rule set to match your network environment as closely as possible.
Step 7
Save your policy, continue editing, discard your changes, or exit while leaving your changes in the
system cache. See the
system cache. See the
table for more information.