Cisco Cisco Firepower Management Center 4000

Note that you can use intrusion event thresholding alone or in any combination with rate-based attack 
prevention, the 

detection_filter

 keyword, and intrusion event suppression. See 

, and 

 for more information.

See the following sections for more information:

You can also add thresholds from within the packet view of an intrusion event. See 

 for more information.

Protection

You can set a threshold for one or more specific rules. You can also separately or simultaneously modify 
existing threshold settings. You can set a a single threshold for each. Adding a threshold overwrites any 
existing threshold for the rule.

For more information on viewing and deleting threshold configurations, see 

You can also modify the global threshold that applies by default to all rules and preprocessor-generated 
events. For more information, see 

.

Note that a revert icon (

) appears in a field when you type an invalid value; click it to revert to the 

last valid value for that field or to clear the field if there was no previous value.

A global or individual threshold on a managed device with multiple CPUs may result in a higher number 
of events than expected.

Admin/Intrusion Admin

Select 

The Intrusion Policy page appears.

Click the edit icon (

) next to the policy you want to edit.

If you have unsaved changes in another policy, click 

 to discard those changes and continue. See 

 for information on saving unsaved changes in another 

policy.

The Policy Information page appears.

Click 

.

The Rules page appears. By default, the page lists the rules alphabetically by message. 

Locate the rule or rules where you want to set a threshold. You have the following options:

To sort the current display, click on a column heading or icon. To reverse the sort, click again.