Cisco Cisco Firepower Management Center 4000
21-36
FireSIGHT System User Guide
Chapter 21 Managing Rules in an Intrusion Policy
Managing FireSIGHT Rule State Recommendations
thresholds, and so on. See
for information on manually changing the
state of selected rules. See
for information on other
actions available on the Rules page for tailoring the rules in your intrusion policy.
The system does not change rule states that you set manually. When you choose to use the recommended
rule states while generating recommendations:
rule states while generating recommendations:
•
manually setting the states of specified rules before you generate recommendations prevents the
system from modifying the states of those rules in the future
system from modifying the states of those rules in the future
•
manually setting the states of specified rules after you generate recommendations overrides the
recommended states of those rules
recommended states of those rules
Tip
You can include a list in the intrusion policy report of rules whose rule states differ from the
recommended state. See
recommended state. See
for more information.
Note that choosing to use recommended rule states adds a read-only FireSIGHT Recommendations layer
to your intrusion policy, and subsequently choosing not to use recommended rule states removes the
layer. See
to your intrusion policy, and subsequently choosing not to use recommended rule states removes the
layer. See
for information on using policy layers to more
efficiently manage multiple intrusion policies.
Note also that when you generate recommendations without changing the advanced settings for
FireSIGHT recommended rules, the system recommends rule state changes for all hosts in your entire
discovered network. Note also that, by default, the system generates recommendations only for rules
with low or medium overhead, and generates recommendations to disable rules. See
FireSIGHT recommended rules, the system recommends rule state changes for all hosts in your entire
discovered network. Note also that, by default, the system generates recommendations only for rules
with low or medium overhead, and generates recommendations to disable rules. See
for more information.
Understanding Advanced Rule State Recommendations
License:
Protection or Protection + FireSIGHT
Advanced settings allow you to redefine which hosts on your network the system monitors for
vulnerabilities, to influence which rules the system recommends based on rule overhead, and to specify
whether to generate recommendations to disable rules.
vulnerabilities, to influence which rules the system recommends based on rule overhead, and to specify
whether to generate recommendations to disable rules.
If you want to dynamically adapt active rule processing for specific packets based on host information,
you can also enable adaptive profiles. For more information, see
you can also enable adaptive profiles. For more information, see
See the following sections for more information:
•
•
Understanding the Networks to Examine
License:
Protection + FireSIGHT
You configure the FireSIGHT Recommended Rules feature by identifying networks to examine in the
network map. The system then recommends the rules you can activate to protect your network. For
information on the network map, see
network map. The system then recommends the rules you can activate to protect your network. For
information on the network map, see
You configure the
Networks
field with the hosts to examine for recommendations. You can specify a
single IP address or address block, or a comma-separated list comprised of either or both.