Cisco Cisco Firepower Management Center 4000
21-35
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Managing FireSIGHT Rule State Recommendations
You can use the FireSIGHT Recommended Rules feature to associate the operating systems, servers, and
client application protocols detected on your network (see
client application protocols detected on your network (see
) with rules written to protect those assets.
When you configure the FireSIGHT Recommended Rules feature, the system searches your base policy
for rules that protect against vulnerabilities associated with your network assets, and identifies the
current state of rules in your base policy. The system then recommends rule states and, optionally, sets
the rules to the recommended states using the criteria in the following table.
for rules that protect against vulnerabilities associated with your network assets, and identifies the
current state of rules in your base policy. The system then recommends rule states and, optionally, sets
the rules to the recommended states using the criteria in the following table.
The Cisco Vulnerability Research Team (VRT) determines the appropriate state of each rule in the
default policies provided by Cisco. Thus, when your base policy is a default policy provided by Cisco,
the net effect of allowing the system to set your rules to the FireSIGHT recommended rule states is that
the rules in your intrusion policy match the settings recommended by Cisco for your network assets. See
default policies provided by Cisco. Thus, when your base policy is a default policy provided by Cisco,
the net effect of allowing the system to set your rules to the FireSIGHT recommended rule states is that
the rules in your intrusion policy match the settings recommended by Cisco for your network assets. See
for more information.
Generating rule state recommendations can be as simple as choosing whether to use the recommended
rule states, either when you generate recommendations or at a later time. Advanced recommendations
options allow you to tailor your configuration.
rule states, either when you generate recommendations or at a later time. Advanced recommendations
options allow you to tailor your configuration.
Note that while the system typically recommends rule state changes for standard text rules and shared
object rules, it can also recommend changes for preprocessor and decoder rules.
object rules, it can also recommend changes for preprocessor and decoder rules.
You can schedule a task to generate recommendations automatically based on the most recently saved
configuration settings in your intrusion policy. For information on scheduling a task to generate
recommended rule states, see
configuration settings in your intrusion policy. For information on scheduling a task to generate
recommended rule states, see
See the following sections for more information:
•
•
•
Understanding Basic Rule State Recommendations
License:
Protection + FireSIGHT
You can generate recommendations without using the recommended rule states in your policy. You can
then display any of three filtered views of the Rules page to show rules that the system recommends you
set to Generate Events, Drop and Generate Events, or Disable. This allows you to see beforehand which
rules would be modified when you choose to use the recommended rule states. You can also choose to
generate recommendations and immediately use them.
then display any of three filtered views of the Rules page to show rules that the system recommends you
set to Generate Events, Drop and Generate Events, or Disable. This allows you to see beforehand which
rules would be modified when you choose to use the recommended rule states. You can also choose to
generate recommendations and immediately use them.
While displaying the recommendation-filtered Rules page, or after accessing the Rules page directly
from the navigation panel or the Policy Information page, you can manually set rule states, sort rules,
and take any of the other actions available on the Rules page such as suppressing rules, setting rule
from the navigation panel or the Policy Information page, you can manually set rule states, sort rules,
and take any of the other actions available on the Rules page such as suppressing rules, setting rule
Table 21-9
FireSIGHT Rule State Recommendations Based on Vulnerabilities
Base Policy Rule State
Rule Protects Your
Discovered Assets?
Discovered Assets?
Recommend Rule State
Generate Events or
Disable
yes
Generate Events
Drop and Generate Events
yes
Drop and Generate Events
any
no
Disable